CVE-2026-48788
HighCVSS 8.2Exploitation Probability (EPSS)
Low risk24th percentile — higher than 24% of all known CVEs
Summary
Remark42, a comment engine for blogs, has an XSS vulnerability in versions 1.6.0 through 1.15.0 that can be exploited through content-type spoofing. An attacker can use this flaw to inject malicious HTML/JavaScript code into a document within Remark42.
Risk Assessment
This vulnerability allows attackers to execute malicious code in the context of Remark42 users, potentially leading to data theft or session hijacking. Organizations using this version are at risk of XSS attacks.
Recommendation
It is recommended to upgrade to version 1.16.0, which fixes this vulnerability. Additional security measures, such as input filtering and validation, should also be considered.
Original NVD description (English source)
Remark42 is a self-hosted comment engine for blogs, articles, or any other place where readers can add comments. Versions 1.6.0 through 1.15.0 contain a Cross-Site Scripting (XSS) vulnerability exploitable through content-type spoofing. The Remark42 image proxy fetches an arbitrary remote URL and re-serves the response from Remark42's own origin. During the download phase, the proxy determines whether the resource is an image by inspecting only the Content-Type header advertised by the remote server, never examining the actual bytes; during the serving phase, it instead derives the response Content-Type by sniffing those bytes with http.DetectContentType. An attacker can exploit this inconsistency by hosting a URL that advertises Content-Type: image/png while returning an HTML/JavaScript body: the download check accepts it as an image, the serving path sniffs the body and emits Content-Type: text/html, and the browser renders the attacker-controlled HTML/JavaScript as a document within Remark42's origin. Exploitation requires no Remark42 account on the target instance; the attacker only needs to host the malicious upstream URL and deliver the proxy link to a victim by any means, such as email, direct message, or a link on another website. This issue has been fixed in version 1.16.0.

