CVE-2026-30661 - Vulnerability Details

- Cross‑Site Scripting via regip/Loginip Parameters in iCMS v8.0.0

Description

iCMS v8.0.0 contains a Cross-Site Scripting (XSS) vulnerability in the User Management component, specifically within the index.html file. This allows remote attackers to execute arbitrary web script or HTML via the regip or loginip parameters.

Published: 2026-03-24

Score: 6.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

iCMS v8.0.0 contains a reflected cross‑site scripting flaw in the User Management component. The vulnerability is triggered through the regip or loginip parameters in the index.html interface, enabling a remote attacker to inject and execute arbitrary HTML or JavaScript in the browser of any user who visits the compromised page. Such exploitation can lead to session hijacking, cookie theft, defacement, or delivery of malicious payloads to unsuspecting users.

Affected Systems

The affected product is idreamsoft iCMS version 8.0.0. No other vendors or product variants are listed as impacted.

Risk and Exploitability

With a CVSS score of 6.1 the issue is considered moderate severity. The EPSS score is below 1 % and the vulnerability is not catalogued in the CISA KEV list, suggesting low likelihood of widespread active exploitation. Based on the description the attacker can trigger the flaw from any external location by sending a crafted HTTP request containing malicious content in the regip or loginip parameters, without requiring authentication or privileged access.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

cpe:2.3:a:idreamsoft:icms:8.0.0:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Icms

80%

Version	Status	Scheme	Platform
`8.0.0`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Acquire and apply the official vendor patch for iCMS or upgrade to a protected version that removes the vulnerable parameters.
If a patch is not yet available, configure the web server or application firewall to block or reject requests that contain regip or loginip query parameters.
Sanitize and HTML‑encode any user‑supplied data before rendering it in the browser to prevent XSS injection.
Consider deploying a web application firewall rule that detects and mitigates typical XSS payloads targeting the affected parameters.
Regularly review web application logs for anomalous requests containing XSS payload patterns and verify that mitigation measures remain effective.

Generated by OpenCVE AI on March 25, 2026 at 23:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00039.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://wang1rrr.github.io/2026/02/09/CVE-Report-iCMS-v8.0.0-XSS/

History

Thu, 26 Mar 2026 12:30:00 +0000

Type	Values Removed	Values Added
Title	Cross‑Site Scripting in iCMS User Management Module	Cross‑Site Scripting via regip/Loginip Parameters in iCMS v8.0.0

Wed, 25 Mar 2026 22:00:00 +0000

Type	Values Removed	Values Added
Title		Cross‑Site Scripting in iCMS User Management Module

Wed, 25 Mar 2026 21:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Idreamsoft Idreamsoft icms
CPEs		cpe:2.3:a:idreamsoft:icms:8.0.0:::::::*
Vendors & Products		Idreamsoft Idreamsoft icms

Wed, 25 Mar 2026 12:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Icms Icms icms
Vendors & Products		Icms Icms icms

Tue, 24 Mar 2026 19:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-79
Metrics		cvssV3_1 `{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 24 Mar 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		iCMS v8.0.0 contains a Cross-Site Scripting (XSS) vulnerability in the User Management component, specifically within the index.html file. This allows remote attackers to execute arbitrary web script or HTML via the regip or loginip parameters.
References		https://wang1rrr.github.io/2026/02/09/CVE-Report-iCMS-v8.0.0-XSS/

Subscriptions

Icms Icms

Idreamsoft Icms

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-03-24T00:00:00.000Z

Updated: 2026-03-24T18:47:24.865Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30661

Vulnrichment

Updated: 2026-03-24T18:47:20.341Z

NVD

Status : Analyzed

Published: 2026-03-24T15:16:34.350

Modified: 2026-03-25T20:53:28.350

Link: CVE-2026-30661

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-26T12:20:30Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object