Stored Cross-Site Scripting Vulnerability in JiZhiCMS by JiZhi Technology
CVE-2026-29840

5.4MEDIUM

Key Information:

Vendor: JiZhi Technology
Status: JiZhiCMS
Vendor: CVE Published:; 24 March 2026

🔔 Create JiZhi Technology Vulnerability Alert

What is CVE-2026-29840?

JiZhiCMS versions up to 2.5.6 are susceptible to a Stored Cross-Site Scripting (XSS) vulnerability found in the release function located in app/home/c/UserController.php. Although the application attempts to sanitize user input by filtering out tags, it fails to properly address other HTML elements that may contain harmful event handlers, such as onerror in tags. This oversight permits an authenticated attacker to inject arbitrary web scripts or HTML content via the body parameter in a POST request targeting /user/release.html.

References

http://www.demo.com/user/release/molds/article.html

https://gist.github.com/w-p-man/790f51f918499798180a8def3...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 24, 2026
Vulnerability Reserved
Mar 4, 2026

CVE-2026-29840 Data

JSON