Description
Multiple stored cross-site scripting (XSS) vulnerabilities in the submit_add_user.asp endpoint of DDSN Interactive Acora CMS v10.7.1 allow attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the First Name and Last Name parameters.
Published: 2026-04-01
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch Immediately
AI Analysis

Impact

Multiple stored cross‑site scripting flaws exist in the submit_add_user.asp endpoint of DDSN Interactive Acora CMS version 10.7.1. An attacker can inject arbitrary HTML or JavaScript into the First Name and Last Name parameters, which are stored and later rendered when the data is viewed, compromising the confidentiality, integrity, and availability of the application.

Affected Systems

DDSN Interactive Acora CMS v10.7.1 is the only version confirmed vulnerable. Web installations exposing the submit_add_user.asp endpoint to users are impacted; no other vendors or products are reported to be affected.

Risk and Exploitability

The CVSS score of 5.4 denotes moderate risk, while the absence of an EPSS measurement and a KEV listing indicates limited known exploitation. The attack path involves submitting a crafted payload to submit_add_user.asp, after which any user who views the stored data will execute the injected script. If the endpoint is publicly reachable, the threat surface is broad, necessitating prompt remediation.

Generated by OpenCVE AI on April 2, 2026 at 03:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check for and apply an official Acora CMS patch that fixes the stored XSS in submit_add_user.asp.
  • If no patch exists, upgrade to a newer Acora CMS release that includes input validation for user data.
  • Sanitize First Name and Last Name inputs on the server side to escape dangerous characters.
  • Add Content Security Policy headers to restrict execution of embedded scripts.
  • Monitor logs for unusual script injections and review user profiles for unexpected content.

Generated by OpenCVE AI on April 2, 2026 at 03:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Title Stored XSS in Acora CMS User Submission Endpoint
First Time appeared Ddsn
Ddsn acora Cms
Vendors & Products Ddsn
Ddsn acora Cms

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Multiple stored cross-site scripting (XSS) vulnerabilities in the submit_add_user.asp endpoint of DDSN Interactive Acora CMS v10.7.1 allow attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the First Name and Last Name parameters.
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Ddsn Acora Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-01T19:08:33.198Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-29598

cve-icon Vulnrichment

Updated: 2026-04-01T19:04:31.835Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-01T15:22:58.443

Modified: 2026-04-03T16:11:11.357

Link: CVE-2026-29598

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:09:52Z

Weaknesses