Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
5DescriptionCVE.org
A stored cross-site scripting (XSS) vulnerability in the /msg/msgInner/save endpoint of JeeSite v5.15.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted input into the msgContent parameter.
AnalysisAI
Stored cross-site scripting (XSS) in JeeSite v5.15.1 allows unauthenticated remote attackers to inject arbitrary web scripts or HTML via the msgContent parameter in the /msg/msgInner/save endpoint, affecting any user who views a message containing the malicious payload. The vulnerability requires user interaction (viewing the crafted message) but can impact confidentiality and integrity of user sessions through script execution in the victim's browser context. No public exploit code or active exploitation has been confirmed at this time.
Technical ContextAI
This is a stored XSS vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation) in JeeSite, a Java-based enterprise content management framework. The vulnerability exists in the message handling module at the /msg/msgInner/save endpoint, which fails to properly sanitize or encode user-supplied input in the msgContent parameter before storing it in a backend data store. When the stored message is later retrieved and rendered in a browser context without adequate output encoding, the malicious script executes with the privileges of the viewing user. Unlike reflected XSS, the payload persists in the application's database, making it a higher-severity class of XSS that affects all subsequent users accessing the compromised message.
RemediationAI
Upgrade JeeSite to a patched version released after v5.15.1 that includes input sanitization and output encoding fixes for the msgContent parameter in the /msg/msgInner/save endpoint. Check the official JeeSite GitHub repository (https://github.com/thinkgem/jeesite) and EUVD advisory (EUVD-2026-26394) for the specific patched version number. If immediate patching is not possible, implement compensating controls: disable or restrict access to the message save endpoint to authenticated users only (modify AV vector); enforce strict Content Security Policy (CSP) headers to prevent inline script execution even if XSS payloads are stored; sanitize all message content on output using a library like OWASP AntiSamy or DOMPurify before rendering in the browser; and conduct data cleanup by identifying and removing any stored XSS payloads from the message database. Note that restricting endpoint access may impact legitimate functionality if messages are intended to be user-submitted.
Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali
Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST
Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al
In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o
Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when
Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_
Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc
Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s
An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge
An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26394