CVE-2026-3028 – A stored cross-site scripting (XSS) vulnerabili... (How to Fix)

Q: What is the severity of CVE-2026-3028?

CVE-2026-3028 has a CVSS score of 4.3 (MEDIUM). A stored cross-site scripting (XSS) vulnerability exists in erzhongxmu JEEWMS up to version 3.7, specifically in the doAdd function of JeecgListDemoController.java. This allows remote attackers to inject malicious scripts via the Name parameter, which are then executed when other users view the affected content. Organizations using JEEWMS versions up to 3.7 are affected.

📋 TL;DR

A stored cross-site scripting (XSS) vulnerability exists in erzhongxmu JEEWMS up to version 3.7, specifically in the doAdd function of JeecgListDemoController.java. This allows remote attackers to inject malicious scripts via the Name parameter, which are then executed when other users view the affected content. Organizations using JEEWMS versions up to 3.7 are affected.

💻 Affected Systems

Products:

erzhongxmu JEEWMS

Versions: Up to and including version 3.7

Operating Systems: All platforms running JEEWMS

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability affects the demo controller component, which may be present in default installations.

📦 What is this software?

Jeewms by Huayi Tec

View all CVEs affecting Jeewms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, deface the application, or redirect users to malicious sites, potentially leading to account compromise and data theft.

🟠

Likely Case

Attackers inject malicious scripts that execute in victims' browsers, potentially stealing session tokens or performing unauthorized actions within the application.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts would be neutralized before execution, preventing successful exploitation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

The exploit has been publicly disclosed and requires user interaction (viewing malicious content). Attack vector is remote.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a version above 3.7 if available, or implement workarounds.

🔧 Temporary Workarounds

Input Validation and Output Encoding

all

Implement proper input validation for the Name parameter and ensure all user-controlled output is properly encoded before rendering.

Modify src/main/java/com/jeecg/demo/controller/JeecgListDemoController.java to sanitize the Name parameter

Content Security Policy (CSP)

all

Implement a strict Content Security Policy header to mitigate XSS impact by restricting script execution sources.

Add Content-Security-Policy header to web server configuration

🧯 If You Can't Patch

Implement a Web Application Firewall (WAF) with XSS protection rules
Disable or restrict access to the vulnerable demo controller component if not needed

🔍 How to Verify

Check if Vulnerable:

Check if JEEWMS version is 3.7 or earlier and if the JeecgListDemoController.java file exists with the vulnerable doAdd function.

Check Version:

Check application version in web interface or configuration files

Verify Fix Applied:

Test the Name parameter with XSS payloads to ensure they are properly sanitized or encoded in output.

📡 Detection & Monitoring

Log Indicators:

Unusual or malicious script patterns in Name parameter values in application logs

Network Indicators:

HTTP requests containing script tags or JavaScript in Name parameter

SIEM Query:

web_requests WHERE url_path CONTAINS 'jeecgListDemoController' AND parameters CONTAINS '<script' OR 'javascript:'

📊 Metadata

CVE ID: CVE-2026-3028

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CWE: CWE-79

Published: February 23, 2026

Last Updated: February 26, 2026

🔗 References

https://vuldb.com/?ctiid.347384 Permissions Required,VDB Entry
https://vuldb.com/?id.347384 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.756527 Third Party Advisory,VDB Entry
https://www.notion.so/JEEWMS-Stored-Cross-Site-Scripting-XSS-in-SysModule-304ea92a3c418099bed7f1e0bca12d83 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-3028, you might also want to check these: