Description
Cross Site Scripting vulnerability in Juzaweb CMS v.5.0.0 allows a remote attacker via execute arbitrary code via a crafted script to the Add Banner Ads function
Published: 2026-05-06
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a cross‑site scripting (XSS) flaw within the Add Banner Ads feature of Juzaweb CMS version 5.0.0. An attacker can embed a malicious script in the banner field that is executed in the browser of anyone who views the banner. This enables the attacker to run arbitrary JavaScript, potentially hijacking user sessions, extracting credentials, or defacing the site. The flaw allows execution of arbitrary code, implying the content is stored and later rendered. Based on the description, it is inferred that the XSS is stored in the banner text and triggered when the banner is loaded by a user.

Affected Systems

Juzaweb CMS 5.0.0 is the only documented version affected by this issue. The vulnerability resides in the core Add Banner Ads module. No other vendors or product variants are listed. Systems operating this exact version without applying a fix remain exposed.

Risk and Exploitability

The CVSS score of 5.4 indicates a moderate severity. EPSS is not available, and the flaw is not listed in the CISA KEV catalog, suggesting no publicly disclosed exploitation. Nevertheless, XSS payloads are typically easy to craft, and the attack requires a banner to be viewed by a target user or administrator. Should exploitation succeed, the attacker could execute malicious JavaScript in the victim’s browser, leading to defacement, credential theft, or further compromise of the CMS environment.

Generated by OpenCVE AI on May 6, 2026 at 17:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Juzaweb CMS release where the XSS issue is addressed (e.g., 5.0.1 or later).
  • If an immediate update is not possible, disable or restrict the Add Banner Ads feature to trusted users only.
  • Implement server‑side input validation or sanitization for banner content to strip script tags before storing or rendering.
  • Monitor web application logs for unexpected script injection attempts and audit user actions related to banner management.

Generated by OpenCVE AI on May 6, 2026 at 17:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Juzaweb
Juzaweb juzaweb Cms
Vendors & Products Juzaweb
Juzaweb juzaweb Cms

Wed, 06 May 2026 17:45:00 +0000

Type Values Removed Values Added
Title Cross‑Site Scripting in Juzaweb CMS Add Banner Ads Function

Wed, 06 May 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 06 May 2026 13:30:00 +0000

Type Values Removed Values Added
Description Cross Site Scripting vulnerability in Juzaweb CMS v.5.0.0 allows a remote attacker via execute arbitrary code via a crafted script to the Add Banner Ads function
References

Subscriptions

Juzaweb Juzaweb Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-06T13:53:56.674Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36358

cve-icon Vulnrichment

Updated: 2026-05-06T13:51:13.732Z

cve-icon NVD

Status : Deferred

Published: 2026-05-06T14:16:19.583

Modified: 2026-05-07T15:53:11.027

Link: CVE-2026-36358

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T22:15:13Z

Weaknesses