Skip to main content

JeeSite EUVDEUVD-2026-26394

| CVE-2026-36761 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-30 mitre
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

5
Analysis Generated
Apr 30, 2026 - 20:30 vuln.today
CVSS changed
Apr 30, 2026 - 18:22 NVD
6.1 (MEDIUM)
EUVD ID Assigned
Apr 30, 2026 - 18:00 euvd
EUVD-2026-26394
Analysis Generated
Apr 30, 2026 - 18:00 vuln.today
CVE Published
Apr 30, 2026 - 00:00 nvd
MEDIUM 6.1

DescriptionCVE.org

A stored cross-site scripting (XSS) vulnerability in the /msg/msgInner/save endpoint of JeeSite v5.15.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted input into the msgContent parameter.

AnalysisAI

Stored cross-site scripting (XSS) in JeeSite v5.15.1 allows unauthenticated remote attackers to inject arbitrary web scripts or HTML via the msgContent parameter in the /msg/msgInner/save endpoint, affecting any user who views a message containing the malicious payload. The vulnerability requires user interaction (viewing the crafted message) but can impact confidentiality and integrity of user sessions through script execution in the victim's browser context. No public exploit code or active exploitation has been confirmed at this time.

Technical ContextAI

This is a stored XSS vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation) in JeeSite, a Java-based enterprise content management framework. The vulnerability exists in the message handling module at the /msg/msgInner/save endpoint, which fails to properly sanitize or encode user-supplied input in the msgContent parameter before storing it in a backend data store. When the stored message is later retrieved and rendered in a browser context without adequate output encoding, the malicious script executes with the privileges of the viewing user. Unlike reflected XSS, the payload persists in the application's database, making it a higher-severity class of XSS that affects all subsequent users accessing the compromised message.

RemediationAI

Upgrade JeeSite to a patched version released after v5.15.1 that includes input sanitization and output encoding fixes for the msgContent parameter in the /msg/msgInner/save endpoint. Check the official JeeSite GitHub repository (https://github.com/thinkgem/jeesite) and EUVD advisory (EUVD-2026-26394) for the specific patched version number. If immediate patching is not possible, implement compensating controls: disable or restrict access to the message save endpoint to authenticated users only (modify AV vector); enforce strict Content Security Policy (CSP) headers to prevent inline script execution even if XSS payloads are stored; sanitize all message content on output using a library like OWASP AntiSamy or DOMPurify before rendering in the browser; and conduct data cleanup by identifying and removing any stored XSS payloads from the message database. Note that restricting endpoint access may impact legitimate functionality if messages are intended to be user-submitted.

More in N A

View all
CVE-2026-31072 CRITICAL POC
9.8 May 19

Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali

CVE-2026-36356 CRITICAL POC
9.1 May 05

Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST

CVE-2026-31071 CRITICAL POC
9.1 May 19

Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al

CVE-2025-66391 HIGH POC
8.8 Jun 17

In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o

CVE-2026-26740 HIGH POC
8.2 Mar 18

Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when

CVE-2025-60464 HIGH POC
7.8 Jun 25

Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_

CVE-2026-36355 HIGH POC
7.7 May 05

Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc

CVE-2025-60474 HIGH POC
7.5 Jun 24

Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s

CVE-2026-38639 HIGH POC
7.5 Jun 26

An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S

CVE-2026-38641 HIGH POC
7.5 Jun 26

Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge

CVE-2026-38637 HIGH POC
7.5 Jun 25

An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S

CVE-2026-38640 HIGH POC
7.5 Jun 25

Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce

Share

EUVD-2026-26394 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy