Description
JiZhiCMS v2.5.6 and before contains a Stored Cross-Site Scripting (XSS) vulnerability in the release function within app/home/c/UserController.php. The application attempts to sanitize input by filtering <script> tags but fails to recursively remove dangerous event handlers in other HTML tags (such as onerror in <img> tags). This allows an authenticated remote attacker to inject arbitrary web script or HTML via the body parameter in a POST request to /user/release.html.
Published: 2026-03-24
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting allowing script injection
Action: Apply Patch
AI Analysis

Impact

This flaw occurs in JiZhiCMS version 2.5.6 and earlier within the release function of the user controller. The input sanitization removes <script> tags but leaves dangerous attributes such as onerror on <img> tags untouched. An authenticated attacker can submit a POST request to /user/release.html with a crafted body that contains malicious JavaScript or HTML, which is then stored and executed in the browser context of any user who views the content, enabling client‑side data theft, session hijacking, or page defacement.

Affected Systems

JiZhiCMS, particularly versions 2.5.6 and before, are impacted. No additional vendors or products were identified by the CNA. The vulnerability is referenced by the CPE string jizhicms:jizhicms.

Risk and Exploitability

The CVSS base score of 5.4 indicates medium severity, while the EPSS score of less than 1% points to a low likelihood of exploitation in the wild. It is not listed in the CISA KEV catalog. Exploitation requires authenticated access to the CMS, limiting the attack surface to privileged users. The primary consequence is that arbitrary client‑side code can be injected and executed in the browsers of other logged‑in users.

Generated by OpenCVE AI on March 25, 2026 at 23:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply an updated version of JiZhiCMS that fixes the XSS issue or install the vendor‑provided patch.
  • If an upgrade cannot be performed immediately, restrict the /user/release.html endpoint to trusted accounts or disable it until remediation is complete.
  • Implement stricter input validation on the body parameter, stripping event attributes and script tags before storage.
  • Review existing content for malicious payloads and sanitize or remove them.
  • Monitor web‑server logs for suspicious POST requests to /user/release.html and block offending IP addresses or users.

Generated by OpenCVE AI on March 25, 2026 at 23:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Title Stored XSS in JiZhiCMS via Body Parameter Stored XSS in JiZhiCMS Release Function Allows Authenticated Script Injection

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Title Stored XSS in JiZhiCMS via Body Parameter

Wed, 25 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:jizhicms:jizhicms:*:*:*:*:*:*:*:*

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Jizhicms
Jizhicms jizhicms
Vendors & Products Jizhicms
Jizhicms jizhicms

Tue, 24 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description JiZhiCMS v2.5.6 and before contains a Stored Cross-Site Scripting (XSS) vulnerability in the release function within app/home/c/UserController.php. The application attempts to sanitize input by filtering <script> tags but fails to recursively remove dangerous event handlers in other HTML tags (such as onerror in <img> tags). This allows an authenticated remote attacker to inject arbitrary web script or HTML via the body parameter in a POST request to /user/release.html.
References

Subscriptions

Jizhicms Jizhicms
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-24T18:48:50.916Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-29840

cve-icon Vulnrichment

Updated: 2026-03-24T18:48:47.135Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T16:16:30.907

Modified: 2026-03-25T20:49:31.147

Link: CVE-2026-29840

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:20:26Z

Weaknesses