CVE-2026-25144
Talishar has a Stored XSS which can lead to data exfiltration & user impersonation
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 5.3EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch —
Lifecycle
02 Feb 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
Talishar is a fan-made Flesh and Blood project. A Stored XSS exists in the chat in-game system. The playerID parameter in SubmitChat.php and is saved without sanitization and executed whenever a user view the current page game. This vulnerability is fixed by 09dd00e5452e3cd998eb1406a88e5b0fa868e6b4.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Affected products
Talishar · Talishar