Description
A stored cross-site scripting (XSS) vulnerability in the /msg/msgInner/save endpoint of JeeSite v5.15.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted input into the msgContent parameter.
Published: 2026-04-30
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stored cross‑site scripting vulnerability exists in the /msg/msgInner/save endpoint of JeeSite v5.15.1. Malicious actors may inject crafted content into the msgContent field, causing the web application to store and later serve executable scripts or HTML to visiting users. This can lead to session hijacking, data theft or defacement of displayed content. The weakness is classified as CWE‑79, a classic stored XSS flaw.

Affected Systems

The affected system is JeeSite v5.15.1 released by thinkgem. The vulnerability is tied specifically to the /msg/msgInner/save endpoint and the msgContent parameter in that version; no other products or versions are listed as impacted.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity. Exploitation requires an attacker to submit malicious input via the msgContent field and rely on end‑users to visit a page that displays the stored payload. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. While the impact is limited to the victim’s browser session, the attack vector is web‑based and can be leveraged by attackers with readily available tools.

Generated by OpenCVE AI on May 1, 2026 at 05:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade JeeSite to a fixed version that removes the XSS flaw in the /msg/msgInner/save endpoint
  • Implement input validation or output encoding on the msgContent field to prevent storage of executable content
  • Configure a strict Content Security Policy on the application’s pages to block inline script execution

Generated by OpenCVE AI on May 1, 2026 at 05:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 01 May 2026 05:45:00 +0000

Type Values Removed Values Added
Title Stored XSS via msgContent in JeeSite msgInner/save

Thu, 30 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Thinkgem
Thinkgem jeesite
Vendors & Products Thinkgem
Thinkgem jeesite

Thu, 30 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 30 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description A stored cross-site scripting (XSS) vulnerability in the /msg/msgInner/save endpoint of JeeSite v5.15.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted input into the msgContent parameter.
References

Subscriptions

Thinkgem Jeesite
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-30T17:51:41.888Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36761

cve-icon Vulnrichment

Updated: 2026-04-30T17:51:22.221Z

cve-icon NVD

Status : Deferred

Published: 2026-04-30T18:16:29.087

Modified: 2026-04-30T19:11:18.200

Link: CVE-2026-36761

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T05:30:09Z

Weaknesses