CVE-2026-40457

UNKNOWN 0.0

Reflected XSS in LMS

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

A Reflected Cross-Site Scripting (XSS) vulnerability exists in LMS (LAN Management System) before commit 9c5651b in the "dbrecover.php" and "netremap.php" modules where unsanitized GET parameters are directly embedded into HTML output. This allows an attacker to inject arbitrary JavaScript when an authenticated user clicks a crafted link, provided the required conditions (such as a network defined in the system) are met.

CWE	CWE-79
Vendor	lms
Product	lms
Published	Jun 18, 2026
Last Updated	Jun 18, 2026

Stay Ahead of the Next One

Get instant alerts for lms lms

Be the first to know when new unknown vulnerabilities affecting lms lms are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

LMS / LMS

0 < 9c5651b

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/chilek/lms/commit/9c5651b39bfd086cc34fc9a78ddaa8c0815af114 cert.pl: https://cert.pl/posts/2026/06/CVE-2026-40455 lms.org.pl: https://lms.org.pl/

Credits

Tymoteusz Dominik