GHSA-3vrh-xvg4-68rm · Severity: low — A Reflected Cross-Site Scripting (XSS) vulnerability exists in LMS (LAN Management System) before...
A Reflected Cross-Site Scripting (XSS) vulnerability exists in LMS (LAN Management System) before commit 9c5651b in the "dbrecover.php" and "netremap.php" modules where unsanitized GET parameters are directly embedded into HTML output. This allows an attacker to inject arbitrary JavaScript when an authenticated user clicks a crafted link, provided the required conditions (such as a network defined in the system) are met.
Conclusion & alert: CVE-2026-40457 is rated Low Risk (16.6/100): CVSS Low severity, with low exploitation likelihood (EPSS 0.32%). Mandatory action: Low composite risk—no urgent action required; patch on your normal maintenance cycle and revisit priority if CVSS or EPSS increases.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-19 | — | 0.32% | — |
Full EPSS history (1 record total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 2.1 | 4.0 | LOW |
|
— | — | [email protected] |
GHSA-3vrh-xvg4-68rm · Severity: low — A Reflected Cross-Site Scripting (XSS) vulnerability exists in LMS (LAN Management System) before...
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| No affected products in dataset. | |||