Description
A vulnerability was determined in erzhongxmu JEEWMS up to 3.7. This vulnerability affects the function doAdd of the file src/main/java/com/jeecg/demo/controller/JeecgListDemoController.java. This manipulation of the argument Name causes cross site scripting. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-02-23
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Client‑Side Script Execution
Action: Assess Impact
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw in the doAdd method of JeecgListDemoController. The Name parameter is not sanitized, allowing an attacker to embed malicious JavaScript that will be executed in the browser of any user who views the affected page. This can lead to session hijacking, defacement, or execution of arbitrary code within the victim’s browser context.

Affected Systems

It affects the JEEWMS product from the vendor erzhongxmu, in all releases up to and including version 3.7. The vulnerability is present in the source file src/main/java/com/jeecg/demo/controller/JeecgListDemoController.java. No specific product versions beyond 3.7 are listed; administrators should verify whether their deployment falls within this range.

Risk and Exploitability

The CVSS score is 5.3, indicating a moderate impact if exploited. The EPSS score is below 1%, pointing to a low likelihood of widespread exploitation at this time. The vulnerability can be triggered remotely by submitting a crafted Name value; there is no indication of an additional vulnerability such as code injection (CWE‑94) being necessary to exploit it. The issue is not yet listed in the CISA Known Exploited Vulnerabilities catalogue, but the vendor has not released a fix, so the risk remains until remediation or a patch is applied.

Generated by OpenCVE AI on April 17, 2026 at 16:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest JEEWMS release that includes a patch for the XSS issue once it is available from the vendor.
  • Implement server‑side validation or output encoding for the Name parameter to ensure that no script code can be stored or rendered.
  • Deploy a Web Application Firewall or enforce a Content Security Policy that blocks or sanitizes hostile script input before it reaches the application.

Generated by OpenCVE AI on April 17, 2026 at 16:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 03:15:00 +0000

Type Values Removed Values Added
First Time appeared Huayi-tec
Huayi-tec jeewms
CPEs cpe:2.3:a:huayi-tec:jeewms:*:*:*:*:*:*:*:*
Vendors & Products Huayi-tec
Huayi-tec jeewms

Wed, 25 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 22:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in erzhongxmu JEEWMS up to 3.7. This vulnerability affects the function doAdd of the file src/main/java/com/jeecg/demo/controller/JeecgListDemoController.java. This manipulation of the argument Name causes cross site scripting. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Title erzhongxmu JEEWMS JeecgListDemoController.java doAdd cross site scripting
First Time appeared Jeewms
Jeewms jeewms
Weaknesses CWE-79
CWE-94
CPEs cpe:2.3:a:jeewms:jeewms:*:*:*:*:*:*:*:*
Vendors & Products Jeewms
Jeewms jeewms
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Huayi-tec Jeewms
Jeewms Jeewms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-25T15:28:13.880Z

Reserved: 2026-02-23T14:05:23.655Z

Link: CVE-2026-3028

cve-icon Vulnrichment

Updated: 2026-02-25T15:27:59.326Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-23T22:16:25.743

Modified: 2026-02-26T03:05:29.523

Link: CVE-2026-3028

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T16:15:22Z

Weaknesses