CVE-2026-29598

Vulnerability

Overview

The submit_add_user.asp endpoint in DDSN Interactive Acora CMS version 10.7.1 is vulnerable to multiple stored cross-site scripting (XSS) attacks. The root cause is the lack of proper sanitization or encoding of user input supplied to the First Name and Last Name parameters [2]. When an administrator adds or edits a user, the injected payload is stored in the application's database and later rendered without safe escaping.

Exploitation

An authenticated administrator with privileges to add or edit users can craft a malicious payload (e.g., JavaScript) and insert it into either the first or last name field via /submit_add_user.asp or /submit_edit_user.asp [2]. No additional privileges beyond user management are required to introduce the payload. The stored script executes in the browser of any user who views the affected user record.

Impact

Successful exploitation allows an attacker to execute arbitrary HTML and JavaScript in the context of other users' sessions. This can lead to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim [2]. Because the payload is stored, every subsequent page view that renders that user's name triggers the script, amplifying the impact.

Mitigation

The vulnerability was publicly disclosed with a proof-of-concept repository [2]. As of the CVE publication date, no patch has been announced. Administrators should ensure that input validation and output encoding are applied to user-managed fields. The vendor references (Acora [1] and DDSN Interactive [3]) do not contain a dedicated security advisory at this time.