Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-3028

CVE-2026-3028: Huayi-tec Jeewms XSS Vulnerability

CVE-2026-3028 is a cross-site scripting flaw in Huayi-tec Jeewms that allows attackers to inject malicious scripts via the Name parameter. This post covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-3028 Overview

A Cross-Site Scripting (XSS) vulnerability has been identified in erzhongxmu JEEWMS up to version 3.7. This vulnerability affects the doAdd function within the file src/main/java/com/jeecg/demo/controller/JeecgListDemoController.java. By manipulating the Name argument, attackers can inject malicious scripts that execute in the context of other users' browsers. The vulnerability can be exploited remotely without authentication, and a public exploit has been disclosed.

Critical Impact

This stored XSS vulnerability allows attackers to inject persistent malicious scripts into the JEEWMS application, potentially leading to session hijacking, credential theft, and unauthorized actions performed on behalf of legitimate users.

Affected Products

  • Huayi-tec JEEWMS up to version 3.7
  • erzhongxmu JEEWMS implementations using the affected controller

Discovery Timeline

  • 2026-02-23 - CVE CVE-2026-3028 published to NVD
  • 2026-02-26 - Last updated in NVD database

Technical Details for CVE-2026-3028

Vulnerability Analysis

This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting. The flaw exists in the doAdd function of the JeecgListDemoController.java controller, where the Name parameter is not properly sanitized before being stored and subsequently rendered in web pages.

When user-supplied input containing malicious JavaScript is submitted through the Name field, the application stores this data without encoding. When other users access pages that display this stored data, the malicious script executes in their browser context with full access to the session and DOM.

The vendor was contacted regarding this vulnerability but did not respond to the disclosure. The exploit details have been publicly disclosed through VulDB, increasing the risk of exploitation in the wild.

Root Cause

The root cause of this vulnerability is insufficient input validation and output encoding in the doAdd function. The application fails to sanitize user-supplied data in the Name argument before storing it in the database. Additionally, when this data is rendered on web pages, the application does not properly encode HTML special characters, allowing injected JavaScript to execute.

The Java controller lacks proper implementation of input sanitization libraries or output encoding mechanisms that would prevent XSS payloads from being stored and executed.

Attack Vector

This is a network-based attack that requires user interaction to complete the exploitation chain. An attacker can inject malicious JavaScript payloads through the Name parameter when interacting with the doAdd functionality. The attack flow involves:

  1. The attacker submits a crafted payload containing JavaScript code through the Name input field
  2. The application stores the malicious input without sanitization
  3. When legitimate users view pages containing the stored data, the malicious script executes in their browser
  4. The script can then steal session cookies, capture keystrokes, redirect users to phishing sites, or perform actions as the authenticated user

The vulnerability requires no privileges to exploit, though successful execution depends on a victim user interacting with the compromised page. For detailed technical information and proof-of-concept details, refer to the Notion XSS in SysModule Report and VulDB entry #347384.

Detection Methods for CVE-2026-3028

Indicators of Compromise

  • Unexpected JavaScript content in database fields associated with the Name parameter in JEEWMS records
  • Browser console errors or unexpected script execution when viewing JEEWMS pages
  • Unusual outbound network requests from user browsers when accessing the application
  • Log entries showing HTML/JavaScript special characters in the Name parameter of requests to JeecgListDemoController

Detection Strategies

  • Implement Web Application Firewall (WAF) rules to detect and block XSS payloads in HTTP requests targeting JEEWMS endpoints
  • Monitor application logs for requests containing HTML entities, script tags, or event handlers in the Name parameter
  • Deploy Content Security Policy (CSP) headers and monitor for policy violations that may indicate XSS attempts
  • Conduct regular database scans for stored malicious content in fields associated with user input

Monitoring Recommendations

  • Enable detailed logging for the JeecgListDemoController and monitor for suspicious input patterns
  • Configure alerting for requests containing common XSS payload signatures such as <script>, javascript:, or event handlers like onerror
  • Monitor browser-side telemetry for unexpected script execution or DOM manipulation events
  • Implement real-time log analysis to correlate attack patterns across multiple user sessions

How to Mitigate CVE-2026-3028

Immediate Actions Required

  • Apply input validation on the Name parameter to reject or sanitize HTML special characters and JavaScript content
  • Implement output encoding using appropriate HTML entity encoding when rendering user-supplied data in web pages
  • Deploy a Web Application Firewall (WAF) with XSS protection rules as an immediate compensating control
  • Review and audit all user input handling in the JeecgListDemoController.java and related controllers

Patch Information

No official patch has been released by the vendor at this time. The vendor was contacted early about this disclosure but did not respond. Organizations using JEEWMS should implement workarounds and consider alternative solutions until a patch becomes available. Monitor the VulDB entry for updates on vendor response and patch availability.

Workarounds

  • Implement server-side input validation to strip or encode HTML special characters from the Name parameter before storage
  • Apply Content Security Policy (CSP) headers with strict directives to prevent inline script execution: script-src 'self'
  • Use output encoding libraries such as OWASP Java Encoder when rendering user-supplied data in JSP or HTML templates
  • Restrict access to the affected doAdd functionality to trusted users only until a proper fix is implemented
bash
# Example CSP header configuration for Apache
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'none';"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne