Description
A security flaw has been discovered in 1024-lab/lab1024 SmartAdmin up to 3.29. Impacted is an unknown function of the file smart-admin-web-javascript/src/views/business/oa/notice/components/notice-form-drawer.vue of the component Notice Module. The manipulation results in cross site scripting. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-03-08
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross Site Scripting
Action: Patch Now
AI Analysis

Impact

A flaw in SmartAdmin version 3.29 and earlier allows an attacker to inject malicious scripts via the notice-form-drawer.vue component, leading to remote cross‑site scripting. The weakness is defined by CWE‑79 and CWE‑94 and can enable an attacker to execute arbitrary JavaScript in the victim’s browser, compromising the confidentiality of session data and possibly allowing phishing or credential theft.

Affected Systems

The vulnerability affects 1024‑lab and lab1024 SmartAdmin products up to version 3.29.

Risk and Exploitability

The CVSS base score is 5.1, indicating medium severity, and the EPSS score is below 1%, suggesting a low probability of exploitation in the wild. The flaw can be triggered remotely from a crafted request to the Notice module, and a public exploit has already been released. It is not currently listed in the CISA KEV catalog.

Generated by OpenCVE AI on April 16, 2026 at 04:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SmartAdmin to a patched version 3.30 or later when available.
  • Implement input validation and output encoding for the Notice module to eliminate reflected scripts.
  • Deploy a strict Content Security Policy that blocks unsafe scripts and limits script sources.
  • If a patch is not yet available, disable the Notice module or block the vulnerable endpoint until remediation can be applied.

Generated by OpenCVE AI on April 16, 2026 at 04:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:lab1024:smartadmin:*:*:*:*:*:*:*:*

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared 1024-lab
1024-lab smartadmin
Lab1024
Lab1024 smartadmin
Vendors & Products 1024-lab
1024-lab smartadmin
Lab1024
Lab1024 smartadmin

Sun, 08 Mar 2026 07:30:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in 1024-lab/lab1024 SmartAdmin up to 3.29. Impacted is an unknown function of the file smart-admin-web-javascript/src/views/business/oa/notice/components/notice-form-drawer.vue of the component Notice Module. The manipulation results in cross site scripting. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title 1024-lab/lab1024 SmartAdmin Notice notice-form-drawer.vue cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

1024-lab Smartadmin
Lab1024 Smartadmin
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-11T14:47:11.911Z

Reserved: 2026-03-07T12:21:13.011Z

Link: CVE-2026-3720

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-03-08T08:15:59.943

Modified: 2026-03-13T20:08:15.060

Link: CVE-2026-3720

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T04:30:13Z

Weaknesses