Unrated severityNVD Advisory· Published Mar 24, 2026· Updated Mar 24, 2026

CVE-2026-29840

Description

JiZhiCMS v2.5.6 and before contains a Stored Cross-Site Scripting (XSS) vulnerability in the release function within app/home/c/UserController.php. The application attempts to sanitize input by filtering tags but fails to recursively remove dangerous event handlers in other HTML tags (such as onerror in tags). This allows an authenticated remote attacker to inject arbitrary web script or HTML via the body parameter in a POST request to /user/release.html.

Affected products

JiZhiCMS/JiZhiCMSdescription
Jizhicms/Jizhicmsllm-fuzzy
Range: <=2.5.6

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.demo.com/user/release/molds/article.htmlmitre
gist.github.com/w-p-man/790f51f918499798180a8def3a6fdfb0mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000