CVE-2026-10529

An attacker can exploit this vulnerability by sending a crafted POST request to the `/system/schedule/save` interface. The `jobName` parameter can contain malicious JavaScript code. This script is then stored in the server's database. When an administrator or a user with relevant permissions accesses the task list or scheduling monitoring page, the stored script executes within their browser environment, leading to a cross-site scripting attack [ref_id=1]. The attack can be executed remotely.

The vulnerability resides in the task scheduling management module, specifically within the `ScheduleJobController.java` file. The `save` method in this controller passes data directly to the `ScheduleJobServiceImpl.java` without adequate XSS filtering. The `update` method within the service implementation then saves this unsanitized data to the database [ref_id=1].

The advisory recommends input filtering and output encoding to mitigate this vulnerability. Specifically, it suggests performing strict type validation and special character filtering on all user input data. Additionally, it recommends using functions like htmlspecialchars() at all HTML output locations to convert characters such as <, >, &, ", and ' to HTML entities. Implementing a Content Security Policy (CSP) is also suggested to restrict script execution. No patch is provided in the bundle.

Access http://127.0.0.1:12345/system to enter the plan management window. Click to edit a task. In the task name field, enter a payload such as `<script>alert(1)</script>`. Click save. Refresh the page and click the Scheduled Tasks window again. A pop-up window will appear, confirming the stored XSS vulnerability [ref_id=1].