Description
A weakness has been identified in westboy CicadasCMS up to 2431154dac8d0735e04f1fd2a3c3556668fc8dab. Impacted is an unknown function of the file src/main/java/com/zhiliao/module/web/system/ScheduleJobController.java of the component Task Scheduling Management Module. Executing a manipulation can lead to cross site scripting. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-06-02
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw resides in the Task Scheduling Management Module of CicadasCMS, specifically within ScheduleJobController.java. An attacker can supply crafted input that is rendered without proper escaping, resulting in arbitrary JavaScript execution in the context of a victim’s browser. This injects malicious scripts that could steal session tokens, deface pages, or redirect users. The vulnerability is exploited remotely over the network, and the public has released an exploit that demonstrates the attack surface.

Affected Systems

All installations of westboy CicadasCMS up to the git revision 2431154dac8d0735e04f1fd2a3c3556668fc8dab are affected. Due to the rolling‑release model, the product does not publish discrete version numbers, so any deployed instance prior to the fix is vulnerable.

Risk and Exploitability

The CVSS score of 4.8 indicates a moderate severity level. The EPSS score is not available, making the likelihood of exploitation unknown. The vulnerability is not listed in the CISA KEV catalog. Attackers can remotely trigger the XSS by accessing the scheduling endpoint with a specially crafted payload; no privileges or local access are required. Once exploited, the damage is limited to the victim’s browser context but can lead to credential theft or session hijacking.

Generated by OpenCVE AI on June 2, 2026 at 02:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest CicadasCMS patch that removes the unescaped output in ScheduleJobController.java
  • If a patch is unavailable, implement server‑side output encoding for all parameters processed by ScheduleJobController
  • Add role‑based access control so that only administrators can invoke scheduling operations
  • Configure a web application firewall or other input‑validation middleware to block known XSS payloads

Generated by OpenCVE AI on June 2, 2026 at 02:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 02 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in westboy CicadasCMS up to 2431154dac8d0735e04f1fd2a3c3556668fc8dab. Impacted is an unknown function of the file src/main/java/com/zhiliao/module/web/system/ScheduleJobController.java of the component Task Scheduling Management Module. Executing a manipulation can lead to cross site scripting. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The project was informed of the problem early through an issue report but has not responded yet.
Title westboy CicadasCMS Task Scheduling Management ScheduleJobController.java cross site scripting
First Time appeared Westboy
Westboy cicadascms
Weaknesses CWE-79
CWE-94
CPEs cpe:2.3:a:westboy:cicadascms:*:*:*:*:*:*:*:*
Vendors & Products Westboy
Westboy cicadascms
References
Metrics cvssV2_0

{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Westboy Cicadascms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-02T12:27:26.417Z

Reserved: 2026-06-01T10:27:22.086Z

Link: CVE-2026-10529

cve-icon Vulnrichment

Updated: 2026-06-02T12:27:19.659Z

cve-icon NVD

Status : Deferred

Published: 2026-06-02T02:16:14.997

Modified: 2026-06-02T13:03:31.153

Link: CVE-2026-10529

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T03:30:25Z

Weaknesses