CVE-2026-38949

{"id": "CVE-2026-38949", "cveTags": [], "metrics": {}, "published": "2026-04-28T19:37:38.937", "references": [{"url": "https://github.com/Chittu13/cve-research/blob/main/CVE-2026-38949/README.md", "source": "cve@mitre.org"}, {"url": "https://github.com/danpros/htmly", "source": "cve@mitre.org"}, {"url": "https://youtu.be/3e-tzUMCox8", "source": "cve@mitre.org"}, {"url": "https://github.com/Chittu13/cve-research/blob/main/CVE-2026-38949/README.md", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Deferred", "descriptions": [{"lang": "en", "value": "Cross-Site Scripting (XSS) vulnerability exists in HTMLy version 3.1.1 in the content creation functionality at the /add/content?type=image endpoint. The application fails to properly sanitize user input, allowing injection of arbitrary code"}], "lastModified": "2026-04-29T16:16:23.690", "sourceIdentifier": "cve@mitre.org"}