CVE-2026-5361 — Cross-Site Scripting (XSS)

/MEDIUM /CVSS 6.4/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
National Vulnerability Database vulnerabilitycvemedium-severitycross-site-scripting-xsscwe-79
CVE-2026-5361 — Cross-Site Scripting (XSS)

CVE-2026-5361 — The Envira Gallery Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API in versions up to and including 1.12.4. This is due to insufficient input sanitization in the update_gallery_data() function and improper output escaping in the gallery_init() f

What This Means For You

  • If your environment is affected by CWE-79, review your exposure and prioritize patching based on your environment. Monitor vendor advisories for CVE-2026-5361 updates and patches.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1059.001 PowerShell Execution T1566.002 Cross-Site Scripting Initial Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

medium T1190 Initial Access

Envira Gallery Lite Stored XSS via REST API - CVE-2026-5361

Sigma YAML — free preview 
title: Envira Gallery Lite Stored XSS via REST API - CVE-2026-5361
id: scw-2026-05-14-ai-1
status: experimental
level: medium
description: |
  Detects attempts to exploit CVE-2026-5361 by sending a POST request to the Envira Gallery Lite REST API endpoint '/wp-json/envira/v1/update_gallery_data' with a payload containing the 'arrows' parameter, which is vulnerable to Stored XSS due to insufficient sanitization and improper output escaping.
author: SCW Feed Engine (AI-generated)
date: 2026-05-14
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-5361/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/wp-json/envira/v1/update_gallery_data'
      cs-method:
          - 'POST'
      cs-uri-query|contains:
          - 'arrows'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-5361 vulnerability CVE-2026-5361
CWE-79 weakness CWE-79

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 14, 2026 at 08:16 UTC

This content was curated and summarized by Shimi's Cyber World for informational purposes. It is not copied or republished in full. All intellectual property rights remain with the original author and source.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-8280 — GitLab CE/EE Affecting All Versions From 8.3 Before 18.9.7, Denial of Service

CVE-2026-8280 — GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.3 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that...

vulnerabilityCVEmedium-severitydenial-of-servicecwe-770
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 3 Sigma

CVE-2026-8181: WordPress Burst Statistics Plugin Critical Auth Bypass

CVE-2026-8181 — The Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative) plugin for WordPress is vulnerable to Authentication Bypass in versions 3.4.0 to 3.4.1.1....

vulnerabilityCVEcriticalhigh-severityprivilege-escalationcwe-287
/SCW Vulnerability Desk /CRITICAL /9.8 /⚑ 3 IOCs /⚙ 6 Sigma

GitLab CVE-2026-7481: Developer XSS Vulnerability Patched

CVE-2026-7481 — GitLab has remediated an issue in GitLab EE affecting all versions from 16.4 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that...

vulnerabilityCVEhigh-severitycwe-79
/SCW Vulnerability Desk /HIGH /8.7 /⚑ 4 IOCs /⚙ 3 Sigma