CVE-2026-33559 MEDIUM

CVE-2026-33559

Vendor Mika

Product OpenStreetMap

Weakness CWE-79 · XSS

Published March 27, 2026

Last update March 27, 2026

View on NVD All CVEs

CVSS base score

5.4/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

WordPress Plugin "OpenStreetMap" provided by MiKa contains a cross-site scripting vulnerability. On the site with the affected version of the plugin enabled, a logged-in user with a page-creating/editing privilege can embed some malicious script with a crafted HTTP request. When a victim user accesses this page, the script may be executed in the user's web browser.

Explanation of Vulnerability in Simple Terms

02Summary

MiKa OpenStreetMap contains a cross-site scripting (XSS) vulnerability in versions prior to 6.1.15. An attacker with low-level user privileges can inject malicious scripts that execute in other users' browsers when they visit affected pages. The vulnerability requires user interaction and can affect the confidentiality and integrity of user sessions.

What an attacker can do

03Attacker Capabilities

Inject malicious scripts that run in other users' browsers to steal session data or modify page content.

Potential impact on your site

04Site Impact

User accounts and sessions are at risk; attackers can steal credentials or perform actions as other users.

Conditions required to exploit

05Prerequisites

Attacker needs a low-privilege user account and must trick a victim into visiting a crafted link or page.

Key dates

06Disclosure timeline

March 27, 2026 CVE published

March 27, 2026 Record updated

External resources

07References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-33559 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities