Description
A stored cross-site scripting (XSS) vulnerability in the /api/blade-desk/notice/submit endpoint of SpringBlade v4.8.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted input into the content parameter.
Published: 2026-04-30
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stored cross-site scripting vulnerability exists in the /api/blade-desk/notice/submit endpoint of SpringBlade version 4.8.0. When a user submits a notice containing malicious script in the content field, the input is stored and later rendered without proper encoding. This allows an attacker to execute arbitrary scripts or HTML in the browsers of other users who view the notice, potentially leading to session hijacking, credential theft, defacement, or malware delivery.

Affected Systems

The flaw affects the SpringBlade e‑commerce framework, version 4.8.0. It is present in the API endpoint that accepts notice submissions.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity. The EPSS score of 0.00029 (<1%) indicates a very low but nonzero probability of exploitation, and the flaw is not listed in CISA’s KEV catalog. Based on the description, it is inferred that the likely attack vector requires an attacker to have authenticated access to the /api/blade-desk/notice/submit endpoint, with permission to submit notices; therefore, the risk is higher in environments with broader write access to that endpoint.

Generated by OpenCVE AI on May 2, 2026 at 10:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SpringBlade to the latest patch version that addresses the stored XSS in the /api/blade-desk/notice/submit endpoint.
  • Ensure that any content submitted to the system is properly sanitized and HTML‑encoded before rendering, thereby preventing injected scripts from executing.
  • Implement a Content Security Policy that restricts execution of inline scripts to mitigate the impact of any missed or future XSS vulnerabilities.

Generated by OpenCVE AI on May 2, 2026 at 10:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 11:15:00 +0000

Type Values Removed Values Added
Title Stored XSS in SpringBlade 4.8.0 Notice Submit Endpoint

Thu, 30 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Chillzhuang
Chillzhuang springblade
Vendors & Products Chillzhuang
Chillzhuang springblade

Thu, 30 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 30 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description A stored cross-site scripting (XSS) vulnerability in the /api/blade-desk/notice/submit endpoint of SpringBlade v4.8.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted input into the content parameter.
References

Subscriptions

Chillzhuang Springblade
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-30T17:50:29.684Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36763

cve-icon Vulnrichment

Updated: 2026-04-30T17:50:24.772Z

cve-icon NVD

Status : Deferred

Published: 2026-04-30T18:16:29.370

Modified: 2026-04-30T19:14:15.800

Link: CVE-2026-36763

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T11:00:06Z

Weaknesses