CVE-2026-48999 MEDIUM

CVE-2026-48999: Stored Cross-Site Scripting (XSS) vulnerability in ZTE ZXUniPOS NDS-LTE product

Vendor Zte
Product ZXUniPOS NDS-LTE
Weakness CWE-79 · XSS
Published May 27, 2026
Last update May 28, 2026
View on NVD All CVEs

CVSS base score

5.7/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction Required
Confidentiality Low
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:L

What the vulnerability does

01Description

Attackers carefully craft malicious scripts, such as JavaScript, and inject them into target systems; when other users access pages containing such malicious content, the scripts are automatically loaded and executed in the victim's browser.Attackers can thereby steal user cookies, hijack session privileges, and tamper with page content.Since the malicious code is stored within the system, the attack scope is broad and the concealment is strong, making it frequently employed for data theft attacks.

Key dates

02Disclosure timeline

May 27, 2026 CVE published
May 28, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2023-34011 WordPress ShopConstruct Plugin <= 1.1.2 is vulnerable to Cross Site Scripting (XSS) CVE-2025-23892 WordPress Progress Tracker plugin <= 0.9.3 - Cross Site Scripting (XSS) vulnerability CVE-2024-53974 Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79) CVE-2025-48305 WordPress Goal Tracker for Patreon plugin <= 0.4.6 - Cross Site Scripting (XSS) vulnerability CVE-2026-34812 Endian Firewall /cgi-bin/proxypolicy.cgi mimetypes Stored Cross-Site Scripting