CVE-2026-29840

Published: Mar 24, 2026

Modified: Mar 24, 2026

PUBLISHED

Description

JiZhiCMS v2.5.6 and before contains a Stored Cross-Site Scripting (XSS) vulnerability in the release function within app/home/c/UserController.php. The application attempts to sanitize input by filtering <script> tags but fails to recursively remove dangerous event handlers in other HTML tags (such as onerror in <img> tags). This allows an authenticated remote attacker to inject arbitrary web script or HTML via the body parameter in a POST request to /user/release.html.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

http://www.demo.com/user/release/molds/article.html

https://gist.github.com/w-p-man/790f51f918499798180a8def3a6fdfb0

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-29840

Description

Affected Products

References