Stored Cross-Site Scripting (XSS) vulnerability in ZTE ZXUniPOS NDS-LTE product

5.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:L

Description

Attackers carefully craft malicious scripts, such as JavaScript, and inject them into target systems; when other users access pages containing such malicious content, the scripts are automatically loaded and executed in the victim's browser.Attackers can thereby steal user cookies, hijack session privileges, and tamper with page content.Since the malicious code is stored within the system, the attack scope is broad and the concealment is strong, making it frequently employed for data theft attacks.

Basic Information

ID CVE-2026-48999

Source zte

Published May 27, 2026 at 02:25

Affected Product

Vendor ZTE

Product ZTE ZXUniPOS NDS-LTE

Version V24.30.40CP02

Affected Versions ZTE ZTE ZXUniPOS NDS-LTE V24.30.40CP02
ZTE ZTE ZXUniPOS NDS-LTE V24.40.40

CWE Classification

CWE-79

References

support.zte.com.cn /zte-iccp-isupport-webui/bulletin/detail/2811026568490730190

{
    "lastseen": "",
    "description": "Attackers carefully craft malicious scripts, such as JavaScript, and inject them into target systems; when other users access pages containing such malicious content, the scripts are automatically loaded and executed in the victim's browser.Attackers can thereby steal user cookies, hijack session privileges, and tamper with page content.Since the malicious code is stored within the system, the attack scope is broad and the concealment is strong, making it frequently employed for data theft attacks.",
    "published": "2026-05-27T02:25:20.004Z",
    "modified": "2026-05-27T02:25:20.004Z",
    "type": "cve",
    "title": "Stored Cross-Site Scripting (XSS) vulnerability in ZTE ZXUniPOS NDS-LTE product",
    "source": "zte",
    "references": "https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/2811026568490730190",
    "id": "CVE-2026-48999",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "ZTE ZTE ZXUniPOS NDS-LTE V24.30.40CP02\nZTE ZTE ZXUniPOS NDS-LTE V24.40.40",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:L",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "ZTE ZXUniPOS NDS-LTE",
    "version": "V24.30.40CP02",
    "vendor": "ZTE",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Stored Cross-Site Scripting (XSS) vulnerability in ZTE ZXUniPOS NDS-LTE product_CVE-2026-48999