CVE-2026-43938

HIGH 8.1

YAF.NET: Unauthenticated Stored Second-Order XSS in Admin Event Log via Reflected `User-Agent` Header

CVSS Score

8.1

EPSS Score

0.0%

EPSS Percentile

0th

YetAnotherForum.NET (YAF.NET) is a C# ASP.NET forum. Prior to 4.0.5 and 3.2.12, the application's database logger (YAFNET.Core/Logger/DbLogger.cs) captures the incoming request's User-Agent header into a JObject, serializes it with JsonConvert, and stores the result in the EventLog.Description column whenever an event (e.g., an unhandled exception) is logged. The admin event-log page (YetAnotherForum.NET/Pages/Admin/EventLog.cshtml.cs) later deserializes that JSON in FormatStackTrace() and interpolates the UserAgent value directly into an HTML string with no encoding, and the Razor view EventLog.cshtml emits the result through @Html.Raw. This vulnerability is fixed in 4.0.5 and 3.2.12.

CWE	CWE-79 CWE-80 CWE-116
Vendor	yafnet
Product	yafnet
Published	May 12, 2026
Last Updated	May 12, 2026

Stay Ahead of the Next One

Get instant alerts for yafnet yafnet

Be the first to know when new high vulnerabilities affecting yafnet yafnet are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Affected Versions

YAFNET / YAFNET

>= 4.0.0-beta.1, < 4.0.5 < 3.2.12

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/YAFNET/YAFNET/security/advisories/GHSA-33gv-fc78-qgf5