CVE-2026-38949

Description

Cross-Site Scripting (XSS) vulnerability exists in HTMLy version 3.1.1 in the content creation functionality at the /add/content?type=image endpoint. The application fails to properly sanitize user input, allowing injection of arbitrary code

PUBLISHED Reserved 2026-04-06 | Published 2026-04-28 | Updated 2026-04-29 | Assigner mitre

References

github.com/...ve-research/blob/main/CVE-2026-38949/README.md exploit

github.com/danpros/htmly

youtu.be/3e-tzUMCox8

github.com/...ve-research/blob/main/CVE-2026-38949/README.md

cve.org (CVE-2026-38949)

nvd.nist.gov (CVE-2026-38949)

Download JSON