CVE-2026-10153

Vulnerability

A cross-site scripting (XSS) flaw exists in the Search function of org/springframework/cache/support/AbstractCacheManager.java in westboy CicadasCMS up to commit 2431154dac8d0735e04f1fd2a3c3556668fc8dab. The product follows a rolling release approach, so no specific version numbers are provided. The vulnerability occurs when user-supplied input to the s argument is improperly sanitized, allowing arbitrary script injection into web pages served to other users [1].

Exploitation

An attacker can exploit this vulnerability remotely without authentication by crafting a malicious URL or request that includes the injected script in the s parameter. No special privileges or local access are required. The exploit has been published and may be used in attacks [2]. The manipulative sequence involves inducing a user to click a crafted link or visit a malicious page that triggers the vulnerable search functionality [2].

Impact

Successful exploitation enables the attacker to execute arbitrary HTML and JavaScript in the context of the victim's browser session. This can lead to theft of session tokens, phishing, defacement, or other malicious actions that compromise the integrity and confidentiality of the affected application. The impact is rated as Medium (CVSS 3.0 base score 4.3) [2].

Mitigation

No official fix or updated release has been provided by the vendor. The project was informed via an issue report but has not yet responded. As of the publication date (2026-05-30), users should apply input validation and output encoding on the s parameter, or consider using a web application firewall (WAF) to block malicious patterns. Continuous monitoring of the vendor's repository is advised until a patch is released [1][2].