CVE-2026-3028 Overview
A Cross-Site Scripting (XSS) vulnerability has been identified in erzhongxmu JEEWMS up to version 3.7. This vulnerability affects the doAdd function within the file src/main/java/com/jeecg/demo/controller/JeecgListDemoController.java. By manipulating the Name argument, attackers can inject malicious scripts that execute in the context of other users' browsers. The vulnerability can be exploited remotely without authentication, and a public exploit has been disclosed.
Critical Impact
This stored XSS vulnerability allows attackers to inject persistent malicious scripts into the JEEWMS application, potentially leading to session hijacking, credential theft, and unauthorized actions performed on behalf of legitimate users.
Affected Products
- Huayi-tec JEEWMS up to version 3.7
- erzhongxmu JEEWMS implementations using the affected controller
Discovery Timeline
- 2026-02-23 - CVE CVE-2026-3028 published to NVD
- 2026-02-26 - Last updated in NVD database
Technical Details for CVE-2026-3028
Vulnerability Analysis
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting. The flaw exists in the doAdd function of the JeecgListDemoController.java controller, where the Name parameter is not properly sanitized before being stored and subsequently rendered in web pages.
When user-supplied input containing malicious JavaScript is submitted through the Name field, the application stores this data without encoding. When other users access pages that display this stored data, the malicious script executes in their browser context with full access to the session and DOM.
The vendor was contacted regarding this vulnerability but did not respond to the disclosure. The exploit details have been publicly disclosed through VulDB, increasing the risk of exploitation in the wild.
Root Cause
The root cause of this vulnerability is insufficient input validation and output encoding in the doAdd function. The application fails to sanitize user-supplied data in the Name argument before storing it in the database. Additionally, when this data is rendered on web pages, the application does not properly encode HTML special characters, allowing injected JavaScript to execute.
The Java controller lacks proper implementation of input sanitization libraries or output encoding mechanisms that would prevent XSS payloads from being stored and executed.
Attack Vector
This is a network-based attack that requires user interaction to complete the exploitation chain. An attacker can inject malicious JavaScript payloads through the Name parameter when interacting with the doAdd functionality. The attack flow involves:
- The attacker submits a crafted payload containing JavaScript code through the Name input field
- The application stores the malicious input without sanitization
- When legitimate users view pages containing the stored data, the malicious script executes in their browser
- The script can then steal session cookies, capture keystrokes, redirect users to phishing sites, or perform actions as the authenticated user
The vulnerability requires no privileges to exploit, though successful execution depends on a victim user interacting with the compromised page. For detailed technical information and proof-of-concept details, refer to the Notion XSS in SysModule Report and VulDB entry #347384.
Detection Methods for CVE-2026-3028
Indicators of Compromise
- Unexpected JavaScript content in database fields associated with the Name parameter in JEEWMS records
- Browser console errors or unexpected script execution when viewing JEEWMS pages
- Unusual outbound network requests from user browsers when accessing the application
- Log entries showing HTML/JavaScript special characters in the Name parameter of requests to JeecgListDemoController
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block XSS payloads in HTTP requests targeting JEEWMS endpoints
- Monitor application logs for requests containing HTML entities, script tags, or event handlers in the Name parameter
- Deploy Content Security Policy (CSP) headers and monitor for policy violations that may indicate XSS attempts
- Conduct regular database scans for stored malicious content in fields associated with user input
Monitoring Recommendations
- Enable detailed logging for the JeecgListDemoController and monitor for suspicious input patterns
- Configure alerting for requests containing common XSS payload signatures such as <script>, javascript:, or event handlers like onerror
- Monitor browser-side telemetry for unexpected script execution or DOM manipulation events
- Implement real-time log analysis to correlate attack patterns across multiple user sessions
How to Mitigate CVE-2026-3028
Immediate Actions Required
- Apply input validation on the Name parameter to reject or sanitize HTML special characters and JavaScript content
- Implement output encoding using appropriate HTML entity encoding when rendering user-supplied data in web pages
- Deploy a Web Application Firewall (WAF) with XSS protection rules as an immediate compensating control
- Review and audit all user input handling in the JeecgListDemoController.java and related controllers
Patch Information
No official patch has been released by the vendor at this time. The vendor was contacted early about this disclosure but did not respond. Organizations using JEEWMS should implement workarounds and consider alternative solutions until a patch becomes available. Monitor the VulDB entry for updates on vendor response and patch availability.
Workarounds
- Implement server-side input validation to strip or encode HTML special characters from the Name parameter before storage
- Apply Content Security Policy (CSP) headers with strict directives to prevent inline script execution: script-src 'self'
- Use output encoding libraries such as OWASP Java Encoder when rendering user-supplied data in JSP or HTML templates
- Restrict access to the affected doAdd functionality to trusted users only until a proper fix is implemented
# Example CSP header configuration for Apache
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'none';"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
