CVE-2026-3027 - Vulnerability Details

- erzhongxmu JEEWMS UEditor getContent.jsp cross site scripting

Description

A vulnerability was found in erzhongxmu JEEWMS up to 3.7. This affects an unknown part of the file src/main/webapp/plug-in/ueditor/jsp/getContent.jsp of the component UEditor. The manipulation of the argument myEditor results in cross site scripting. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-02-23

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the UEditor component of erzhongxmu JEEWMS, specifically the getContent.jsp script. An attacker can manipulate the myEditor argument supplied to this endpoint, which results in reflected cross site scripting. The flaw is a classic example of CWE‑79, with a secondary indication of CWE‑94 suggesting potential code evaluation issues. If an attacker injects malicious JavaScript, it will execute in the context of any user who visits the affected page.

Affected Systems

Vendors erzhongxmu and product JEEWMS are impacted. The flaw exists in all releases up to and including version 3.7. No specific sub‑versions are listed, so any installation of JEEWMS 3.7 or earlier should be considered vulnerable.

Risk and Exploitability

The CVSS score of 5.3 places the risk in the moderate range, and the EPSS score of less than 1 % indicates a low probability of exploitation in the current landscape, though it is not zero. The vulnerability is not listed in the CISA KEV catalog. The exploit can be launched remotely through a crafted request to the getContent.jsp URL, with no authentication required. The likely attack vector is a reflected XSS delivered via the myEditor parameter to a victim’s browser. Once the script runs, an attacker could perform actions such as session hijacking, defacement, or phishing, depending on the privileges of the victim.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

erzhongxmu

JEEWMS

affected

Version	Status	Constraints
`3.0`	affected	—
`3.1`	affected	—
`3.2`	affected	—
`3.3`	affected	—
`3.4`	affected	—
`3.5`	affected	—
`3.6`	affected	—
`3.7`	affected	—

Configuration 1 [-]

cpe:2.3:a:jeewms:jeewms:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Jeewms

95%

Version	Status	Scheme	Platform
`3.0`	affected	generic	—
`3.1`	affected	generic	—
`3.2`	affected	generic	—
`3.3`	affected	generic	—
`3.4`	affected	generic	—
`3.5`	affected	generic	—
`3.6`	affected	generic	—
`3.7`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update JEEWMS to the latest available release or apply the vendor supplied patch once it becomes available
If an update is unavailable, modify or disable the UEditor component, ensuring that the myEditor parameter is properly sanitized or filtered to prevent injection of arbitrary scripts
Implement web application firewall rules or CSP headers to detect and block reflected XSS payloads in outgoing responses
Regularly scan and monitor web traffic for anomalous requests containing script markers or HTML injection patterns

Generated by OpenCVE AI on April 17, 2026 at 16:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00064.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://vuldb.com/?ctiid.347383
https://vuldb.com/?id.347383
https://vuldb.com/?submit.756523
https://www.notion.so/JEEWMS-Reflected-XSS-Vulnerability-in-UEditor-Module-304ea92a3c41806a97ffc9b707f2fbf0

History

Wed, 25 Feb 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 23 Feb 2026 21:15:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was found in erzhongxmu JEEWMS up to 3.7. This affects an unknown part of the file src/main/webapp/plug-in/ueditor/jsp/getContent.jsp of the component UEditor. The manipulation of the argument myEditor results in cross site scripting. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title		erzhongxmu JEEWMS UEditor getContent.jsp cross site scripting
First Time appeared		Jeewms Jeewms jeewms
Weaknesses		CWE-79 CWE-94
CPEs		cpe:2.3:a:jeewms:jeewms::::::::
Vendors & Products		Jeewms Jeewms jeewms
References		https://vuldb.com/?ctiid.347383 https://vuldb.com/?id.347383 https://vuldb.com/?submit.756523 https://www.notion.so/JEEWMS-Reflected-XSS-Vulnerability-in-UEditor-Module-304ea92a3c41806a97ffc9b707f2fbf0
Metrics		cvssV2_0 `{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Jeewms Jeewms

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-02-23T21:02:08.183Z

Updated: 2026-02-25T15:19:05.163Z

Reserved: 2026-02-23T14:05:20.948Z

Link: CVE-2026-3027

Vulnrichment

Updated: 2026-02-25T15:18:56.422Z

NVD

Status : Analyzed

Published: 2026-02-23T21:19:12.920

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-3027

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T16:15:22Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object