Skip to main content

CVE-2026-30661

| EUVDEUVD-2026-14893 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-03-24 mitre
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 24, 2026 - 14:45 euvd
EUVD-2026-14893
Analysis Generated
Mar 24, 2026 - 14:45 vuln.today
CVE Published
Mar 24, 2026 - 00:00 nvd
MEDIUM 6.1

DescriptionCVE.org

iCMS v8.0.0 contains a Cross-Site Scripting (XSS) vulnerability in the User Management component, specifically within the index.html file. This allows remote attackers to execute arbitrary web script or HTML via the regip or loginip parameters.

AnalysisAI

iCMS v8.0.0 contains a Stored or Reflected Cross-Site Scripting (XSS) vulnerability in the User Management component's index.html file, where the regip and loginip parameters fail to properly sanitize user input before rendering in the HTML response. Remote attackers can exploit this vulnerability without authentication to execute arbitrary JavaScript in the context of victim browsers, potentially leading to session hijacking, credential theft, or malware distribution. A proof-of-concept has been publicly disclosed by the researcher, increasing real-world exploitation risk.

Technical ContextAI

The vulnerability exists in iCMS v8.0.0, a content management system, specifically within the User Management module's index.html file. The root cause is insufficient input validation and output encoding of user-controlled parameters (regip and loginip) that are reflected directly into the HTML DOM without proper escaping or Content Security Policy (CSP) protections. This represents a classic CWE-79 (Improper Neutralization of Input During Web Page Generation) flaw where user input is not sanitized before being embedded in HTML context. The affected component is the administrative or user-facing interface responsible for managing user registration and login IP tracking, which fails to encode special characters (such as angle brackets, quotes, and event handlers) that would allow script injection.

RemediationAI

Immediately upgrade iCMS to a patched version released after v8.0.0 if available from the vendor. If a patch is unavailable, implement the following mitigations: (1) enforce strict Content Security Policy (CSP) headers with script-src directives limiting script execution to trusted sources only; (2) apply input validation and output encoding to all user-supplied parameters (regip, loginip) using a vetted HTML encoding library (e.g., OWASP ESAPI) before rendering to the browser; (3) disable or restrict access to the User Management interface to authenticated administrators only via IP whitelisting and WAF rules; (4) deploy a Web Application Firewall (WAF) with XSS detection signatures to block payloads containing script tags or event handlers. Consult the public disclosure at https://wang1rrr.github.io/2026/02/09/CVE-Report-iCMS-v8.0.0-XSS/ for technical details and contact the iCMS vendor for official patch availability and timeline.

Share

CVE-2026-30661 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy