CVE-2026-53737 PUBLISHED

Juicer through 1.12.18 Stored Cross-Site Scripting via Unescaped API Response

Assigner: VulnCheck
Reserved: 10.06.2026 Published: 10.06.2026 Updated: 11.06.2026

Juicer through 1.12.18 fails to escape remote feed API response fields before rendering them on the admin settings page. Attackers controlling the connected feed data can inject script that executes in an administrator's browser when the settings page loads.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
CVSS Score: 5.3

Product Status

Vendor saas.group
Product Juicer
Versions
  • affected from 0 to 1.12.18 (incl.)

Credits

  • Scott Moore - VulnCheck finder

References

Problem Types

  • Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE