CVE-2026-38579
MediumCVSS 6.1Exploitation Probability (EPSS)
Low risk23th percentile - higher than 23% of all known CVEs
Summary
Multiple reflected Cross-Site Scripting (XSS) vulnerabilities in damasac thaipalliative_lte through version 3.0 allow remote attackers to inject arbitrary web script or HTML via the idFormMain, id, and ptid_key parameters in /substudy/ezform.php.
Risk Assessment
Attackers can exploit these vulnerabilities to conduct XSS attacks, potentially leading to user data theft or session hijacking.
Recommendation
It is recommended to validate and encode user input before displaying it in HTML and to update to the latest version of the software to eliminate these vulnerabilities.
Original NVD description (English source)
Multiple reflected Cross-Site Scripting (XSS) vulnerabilities in damasac thaipalliative_lte through version 3.0 allow remote attackers to inject arbitrary web script or HTML via the idFormMain parameter (line 24), the id parameter (lines 25, 75), and the ptid_key parameter (lines 26, 42) in /substudy/ezform.php. User input is echoed into HTML attributes and JavaScript contexts without encoding.

