CVE-2026-53737 MEDIUM

CVE-2026-53737: Juicer through 1.12.18 Stored Cross-Site Scripting via Unescaped API Response

Vendor Saas.group

Product Juicer

Weakness CWE-79 · XSS

Published June 10, 2026

Last update June 11, 2026

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

Juicer through 1.12.18 fails to escape remote feed API response fields before rendering them on the admin settings page. Attackers controlling the connected feed data can inject script that executes in an administrator's browser when the settings page loads.

Key dates

02Disclosure timeline

June 10, 2026 CVE published

June 11, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-53737

Related vulnerabilities

04Related CVE

CVE-2025-57999 WordPress WPKoi Templates for Elementor Plugin <= 3.4.3 - Cross Site Scripting (XSS) Vulnerability CVE-2026-20075 Cisco Evolved Programmable Network Manager and Cisco Prime Infrastructure Stored Cross-Site Scripting Vulnerability CVE-2026-9714 Simple Divi Shortcode <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute CVE-2023-6774 CodeAstro POS and Inventory Management System register_account cross site scripting CVE-2025-2986 IBM Maximo Asset Management cross-site scripting