CVE-2026-25144 Overview
CVE-2026-25144 is a Stored Cross-Site Scripting (XSS) vulnerability affecting Talishar, a fan-made web-based implementation of the Flesh and Blood trading card game. The vulnerability exists in the in-game chat system where the playerID parameter in SubmitChat.php is saved without proper sanitization. Malicious scripts injected through this parameter are executed whenever any user views the current game page, allowing attackers to compromise other players' sessions.
Critical Impact
Attackers can inject persistent malicious scripts into the chat system that execute in the context of other users' browsers, potentially leading to session hijacking, credential theft, or unauthorized actions on behalf of victims.
Affected Products
- Talishar (versions prior to commit 09dd00e5452e3cd998eb1406a88e5b0fa868e6b4)
Discovery Timeline
- 2026-02-02 - CVE-2026-25144 published to NVD
- 2026-02-03 - Last updated in NVD database
Technical Details for CVE-2026-25144
Vulnerability Analysis
This Stored XSS vulnerability (CWE-79) occurs due to improper input validation in the Talishar application's chat functionality. When a user submits a chat message, the playerID parameter is processed by SubmitChat.php and stored directly in the database without sanitization or encoding. Subsequently, when any user loads a game page containing this chat history, the malicious payload is rendered and executed in their browser context.
The network-accessible nature of this vulnerability means attackers can exploit it remotely without authentication. Once the malicious script is stored, it persists and affects all users who view the compromised game chat, creating a persistent attack vector that can target multiple victims from a single injection point.
Root Cause
The root cause of this vulnerability is the absence of input sanitization and output encoding in the chat message handling workflow. The SubmitChat.php script accepts the playerID parameter and stores it directly without validating or escaping special characters that could be interpreted as HTML or JavaScript. This allows attackers to inject script tags or event handlers that are subsequently rendered as executable code when the chat content is displayed to users.
Attack Vector
The attack is executed over the network and requires no user interaction beyond viewing the compromised game page. An attacker crafts a malicious payload containing JavaScript code and submits it through the chat system using the playerID parameter. The payload is stored persistently and executes in the browser of any user who subsequently views the game containing the malicious chat entry.
The vulnerability mechanism involves unsanitized user input being stored and later reflected in the page HTML. For technical implementation details, refer to the GitHub Security Advisory GHSA-rrr4-h2pc-57g6 and the fix commit.
Detection Methods for CVE-2026-25144
Indicators of Compromise
- Unusual JavaScript patterns or encoded script tags appearing in chat message logs or database records
- Unexpected network requests originating from user browsers to external domains when viewing game pages
- User reports of unusual behavior, pop-ups, or redirect attempts while using the chat feature
- Presence of event handlers (e.g., onerror, onload, onclick) or <script> tags in stored chat data
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block common XSS payload patterns in HTTP requests
- Monitor application logs for suspicious input patterns containing HTML tags, JavaScript keywords, or URL-encoded script sequences
- Deploy browser-based Content Security Policy (CSP) violation reporting to detect inline script execution attempts
- Regularly audit database contents for stored XSS indicators in user-generated content fields
Monitoring Recommendations
- Enable detailed logging for all chat submission endpoints, including full parameter values
- Configure real-time alerts for requests containing potential XSS signatures such as <script>, javascript:, or encoded variants
- Monitor for anomalous session activity patterns that may indicate session hijacking following XSS exploitation
How to Mitigate CVE-2026-25144
Immediate Actions Required
- Update Talishar to a version that includes commit 09dd00e5452e3cd998eb1406a88e5b0fa868e6b4 or later
- Review and sanitize existing chat data in the database to remove any potentially malicious stored payloads
- Implement a Content Security Policy (CSP) header to prevent inline script execution as a defense-in-depth measure
- Temporarily disable the chat feature if immediate patching is not possible
Patch Information
The vulnerability has been fixed in commit 09dd00e5452e3cd998eb1406a88e5b0fa868e6b4. Administrators should update their Talishar installation to include this fix. The patch implements proper input sanitization for the playerID parameter in the chat submission process. For detailed information about the fix, see the GitHub Commit Details.
Workarounds
- Deploy a Web Application Firewall with XSS filtering rules in front of the Talishar application
- Implement server-side input validation to strip or encode HTML special characters from all user-supplied parameters
- Add Content-Security-Policy headers to restrict inline script execution and limit trusted script sources
- Temporarily disable or restrict access to the chat functionality until the patch can be applied
# Example Apache configuration for CSP header
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
