CVE-2026-40457
CWE-79Published: June 18, 2026· Updated: Jun 22, 2026
Official Description
A Reflected Cross-Site Scripting (XSS) vulnerability exists in LMS (LAN Management System) before commit 9c5651b in the "dbrecover.php" and "netremap.php" modules where unsanitized GET parameters are directly embedded into HTML output. This allows an attacker to inject arbitrary JavaScript when an authenticated user clicks a crafted link, provided the required conditions (such as a network defined in the system) are met.
Technical Analysis
CVE-2026-40457 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.
Exploitation does not require any privileges, though user interaction (A) is needed, which slightly reduces the risk of mass automated attacks.
From a weakness classification perspective (CWE-79): Cross-site scripting (XSS) vulnerabilities allow attackers to inject malicious scripts into web pages viewed by other users.
CVSS v3.1 Vector Breakdown
Affected Vendors & Products
Exploit & PoC Resources
All References (3)
Quick Facts
Related CVEs (CWE-79)
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2026-40457 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts