Is there a public PoC exploit available for CVE-2026-10529?

Yes, a public proof-of-concept exploit is available for CVE-2026-10529. Prioritise patching immediately. EPSS: 0.0%.

CicadasCMS CVE-2026-10529

Q: What is the CVSS score of CVE-2026-10529?

CVE-2026-10529 has a CVSS 4.0 base score of 1.9 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-33855 LOW

Cross-site Scripting (XSS) (CWE-79)

2026-06-02 VulDB

GHSA-rgqh-84xv-78p8

XSS Java

1.9

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

1.9 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

Scope

Lifecycle Timeline

CVSS changed

Jun 02, 2026 - 02:22 NVD

2.4 (LOW) 1.9 (LOW)

Analysis Generated

Jun 02, 2026 - 01:42 vuln.today

DescriptionCVE.org

A weakness has been identified in westboy CicadasCMS up to 2431154dac8d0735e04f1fd2a3c3556668fc8dab. Impacted is an unknown function of the file src/main/java/com/zhiliao/module/web/system/ScheduleJobController.java of the component Task Scheduling Management Module. Executing a manipulation can lead to cross site scripting. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Cross-site scripting in westboy CicadasCMS Task Scheduling Management Module allows a high-privileged, authenticated attacker to inject malicious script payloads via the ScheduleJobController component that execute in a victim user's browser upon viewing the affected page. The vulnerability carries a CVSS base score of just 2.4, reflecting the steep access barriers of required high privileges (PR:H) and mandatory user interaction (UI:R), though a publicly available proof-of-concept exploit exists on the Gitee issue tracker. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Obtain high-privilege CicadasCMS admin credentials

Delivery

Authenticate to administrative backend

Exploit

Inject XSS payload into Task Scheduling Management Module field via ScheduleJobController

Execution

Payload persists in task scheduler UI

Persist

Second privileged admin views task scheduler page

Impact

Malicious script executes in victim's browser context

Access

Obtain high-privilege CicadasCMS admin credentials

Delivery

Authenticate to administrative backend

Exploit

Inject XSS payload into Task Scheduling Management Module field via ScheduleJobController

Execution

Payload persists in task scheduler UI

Persist

Second privileged admin views task scheduler page

Impact

Malicious script executes in victim's browser context

Vulnerability AssessmentAI

Exploitation	Exploitation requires a high-privilege authenticated session on the CicadasCMS administrative interface (CVSS PR:H confirmed) - an unauthenticated or low-privilege attacker cannot trigger this vulnerability. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	Despite network reachability (AV:N) and low attack complexity (AC:L), the CVSS score of 2.4 accurately reflects constrained real-world impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker with an existing high-privilege administrative account on a CicadasCMS instance navigates to the Task Scheduling Management Module and submits a crafted task definition containing an injected JavaScript payload in an unsanitized input field. When a second administrator or privileged user subsequently views the task scheduler interface, the payload executes in their browser session, potentially stealing session cookies or performing actions on their behalf. …
Remediation	No vendor-released patch has been identified at time of analysis; the vendor was notified via the Gitee issue tracker (https://gitee.com/westboy/CicadasCMS/issues/IJLMAG) but has not responded. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-28575 CRITICAL Act Now

10.0 Jun 17

Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran

CVE-2026-41699 CRITICAL Act Now

9.8 Jun 11

Remote code execution in Spring for GraphQL versions 1.3.0-1.3.8, 1.4.0-1.4.5, and 2.0.0-2.0.3 allows unauthenticated at

CVE-2026-47835 HIGH This Week

8.6 Jun 15

NoSQL/query injection in Spring AI Vector Stores (1.0.0-1.0.8 and 1.1.0-1.1.7) allows remote unauthenticated attackers t

CVE-2026-47825 HIGH This Week

8.6 Jun 15

Origin validation failure in Spring Cloud Gateway (WebMVC and WebFlux Server variants) allows remote attackers to spoof

CVE-2026-40999 HIGH This Week

8.6 Jun 11

Server-Side Request Forgery in Spring Web Services (versions 3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, and 5.0.0-5.0.1) al

CVE-2026-10529 vulnerability details – vuln.today

Back