Fusion Builder: Stored Cross-Site Scripting Allows Malicious Code Injection

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

6.5

Fusion Builder: Stored Cross-Site Scripting Allows Malicious Code Injection

CVE-2026-25472

Summary

Fusion Builder, a website building tool, has a security flaw that allows hackers to inject malicious code into its pages. This can happen when a user enters a specially crafted input, and the code is stored and executed on other users' browsers. To stay safe, update Fusion Builder to the latest version, which is 3.14.4 or later.

Original title

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeFusion Fusion Builder fusion-builder allows Stored XSS.This issue affects Fusion Builder: ...

Original description

nvd CVSS3.1 6.5

Vulnerability type

CWE-79 Cross-site Scripting (XSS)

https://patchstack.com/database/Wordpress/Plugin/fusion-builder/vulnerability/wo...

Published: 19 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026