CVE-2026-29840

Medium CVSS: 5.4

JiZhiCMS v2.5.6 and before contains a Stored Cross-Site Scripting (XSS) vulnerability in the release function within app/home/c/UserController.php. The application attempts to sanitize input by filtering <script> tags but fails to recursively remove dangerous event handlers in other HTML tags (such as onerror in <img> tags). This allows an authenticated remote attacker to inject arbitrary web script or HTML via the body parameter in a POST request to /user/release.html.

Vendor

Jizhicms

Product

Jizhicms

CWE

CWE-79

Yayın Tarihi

2026-03-24 16:16:30

Güncelleme

2026-03-25 20:49:31

Source Identifier

cve@mitre.org

KEV Date Added

Kategoriler

CWE-79 Jizhicms MEDIUM Jizhicms 2026

Referanslar

http://www.demo.com/user/release/molds/article.html https://gist.github.com/w-p-man/790f51f918499798180a8def3a6fdfb0

Benzer Kayıtlar

Medium

CVE-2026-3292

A security vulnerability has been detected in jizhiCMS up to 2.5.6. Affected is the function findAll in the library frph…

High

CVE-2025-70397

jizhicms 2.5.6 is vulnerable to SQL Injection in Article/deleteAll and Extmolds/deleteAll via the data parameter.

High

CVE-2020-37117

jizhiCMS 1.6.7 contains a file download vulnerability in the admin plugins update endpoint that allows authenticated adm…

Medium

CVE-2025-14013

A vulnerability was identified in JIZHICMS up to 2.5.5. The impacted element is an unknown function of the file /index.p…

Medium

CVE-2025-14011

A vulnerability was found in JIZHICMS up to 2.5.5. Impacted is the function commentlist of the file /index.php/admins/Co…

Medium

CVE-2025-14012

A vulnerability was determined in JIZHICMS up to 2.5.5. The affected element is the function deleteAll/findAll/delete of…