CVE-2006-3366

Exp

Multiple cross-site scripting (XSS) vulnerabilities in V3 Chat allow remote attackers to inject arbitrary web script or HTML via crafted HTML tags, as demonstrated by the IMG tag, in the (1) id parameter in (a) mail/index.php and (b) mail/reply.php; (2) login_id parameter in (c) members/is_online.php; (3) site_id parameter in (d) messenger/online.php, (e) messenger/search.php, and (f) messenger/profile.php; (4) contact_name parameter in messenger/search.php; (5) membername parameter in (g) messenger/profileview.php; (6) unspecified parameters used when "editing a profile"; and (7) cust_name parameter in (h) messenger/expire.php. NOTE: The vendor disputes the vectors involving files in the messenger directory, stating "... the referenced folder 'messenger' was never available to the general public...".

Published: 2006-07-06 Last update: 2026-06-16 Assigner: [email protected] Source: [email protected]

NVD Status：Modified，CVE State: published

View at NVD, CVE.org, EUVD

Conclusion & alert: CVE-2006-3366 is rated Exploit Available (53.3/100): CVSS Low severity, with medium exploitation likelihood (EPSS 1.82%). Core evidence: 8 public exploit reference(s) are indexed (Exploit-DB). EPSS rose +1.33% over the last day, indicating growing attacker interest. Mandatory action: Public exploits are available—assess exposure, apply mitigations, and prioritize patching.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Public exploit references (Exploit-DB) for CVE-2006-3366

EDB-ID	Source	Kind	Published	Link
28071	exploit_db	edb	2006-06-20	Exploit-DB ↗
28073	exploit_db	edb	2006-06-20	Exploit-DB ↗
28072	exploit_db	edb	2006-06-20	Exploit-DB ↗
28070	exploit_db	edb	2006-06-20	Exploit-DB ↗
28074	exploit_db	edb	2006-06-20	Exploit-DB ↗
28069	exploit_db	edb	2006-06-20	Exploit-DB ↗
28068	exploit_db	edb	2006-06-20	Exploit-DB ↗
—	nvd_ref	exploit_tag		Exploit-DB ↗

Exploit prediction scoring system (EPSS) score for CVE-2006-3366

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-06-15	0.48%	1.82%	+1.33%
2	2025-04-16	0.42%	0.48%	+0.07%
3	2025-03-17	—	0.42%	—

Full EPSS history (8 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2006-3366

CVSS metrics for this CVE.

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
2.6	2.0	LOW	`AV:N/AC:H/Au:N/C:N/I:P/A:N` Click to expand Access vector (AV:N) Can be exploited remotely over network reachability. Access complexity (AC:H) Exploitation requires uncommon or highly specific conditions. Authentication (AU:N) No authentication is required. Confidentiality impact (C:N) No confidentiality impact. Integrity impact (I:P) Partial integrity impact. Availability impact (A:N) No availability impact.	4.9	2.9	[email protected]

Weakness enumeration for CVE-2006-3366

Affected software / configurations for CVE-2006-3366

Vendor	Product	Version	Raw CPE
v3_chat	v3_chat	beta	cpe:2.3:a:v3_chat:v3_chat:beta:::::::*

References for CVE-2006-3366

URL	Tags
http://securitytracker.com/id?1016340	Exploit
http://www.securityfocus.com/archive/1/437755/100/200/threaded
http://www.securityfocus.com/archive/1/438069/100/200/threaded
http://www.securityfocus.com/bid/18543
http://www.vupen.com/english/advisories/2006/2474

cvelogic Threat Intelligence