CVE-2026-38949 PUBLISHED

Assigner: mitre
Reserved: 06.04.2026 Published: 28.04.2026 Updated: 28.04.2026

Cross-Site Scripting (XSS) vulnerability exists in HTMLy version 3.1.1 in the content creation functionality at the /add/content?type=image endpoint. The application fails to properly sanitize user input, allowing injection of arbitrary code

Product Status

Vendor	n/a
Product	n/a
Versions	Version n/a is affected

References

https://github.com/danpros/htmly
https://youtu.be/3e-tzUMCox8
https://github.com/Chittu13/cve-research/blob/main/CVE-2026-38949/README.md

Problem Types

n/a text