3.0.1
3.1.1
3.2.1
3.3.1
3.4.1
3.5.1
3.6.1
3.7.1
CVE-2026-3028 is a cross-site scripting (XSS) vulnerability discovered in JEEWMS versions 3.0 to 3.7. This flaw resides within the doAdd function of the JeecgListDemoController.java file, allowing attackers to inject malicious scripts through manipulation of the Name argument. The vulnerability is remotely exploitable and has been publicly disclosed, highlighting the urgency of remediation.
Successful exploitation of CVE-2026-3028 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session on the JEEWMS application. This can lead to a variety of malicious actions, including session hijacking, credential theft, and defacement of the application's user interface. An attacker could potentially gain access to sensitive data stored within JEEWMS, such as user information, financial records, or other confidential data. The impact is amplified if JEEWMS is integrated with other systems, as the attacker could potentially use this vulnerability as a stepping stone to compromise other parts of the infrastructure.
CVE-2026-3028 has been publicly disclosed, increasing the likelihood of exploitation. The vulnerability's severity is rated as medium (CVSS 4.3). No specific exploit campaigns or actor attribution have been publicly reported at this time. The vulnerability was disclosed to the vendor, erzhongxmu, but they did not respond. Refer to the NVD entry published on 2026-02-23 for further details.
Exploit Status
EPSS
0.03% (8% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-3028 is to upgrade JEEWMS to a patched version. Unfortunately, a fixed version is not currently specified. As a temporary workaround, implement strict input validation and sanitization on the Name parameter within the doAdd function. This can be achieved by using a web application firewall (WAF) with XSS protection rules or by implementing custom filtering logic. Additionally, consider implementing Content Security Policy (CSP) to restrict the sources from which scripts can be executed, limiting the potential impact of a successful XSS attack. Regularly review and update JEEWMS configuration to ensure best practices are followed.
Update JEEWMS to a version later than 3.7 that fixes the Cross-Site Scripting (XSS) vulnerability in the doAdd function of the JeecgListDemoController.java file. Refer to the release notes or changelog for more details about the specific fix. If no patched version is available, consider implementing mitigation measures such as user input validation and sanitization to prevent the injection of malicious code.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-3028 is a cross-site scripting (XSS) vulnerability affecting JEEWMS versions 3.0 through 3.7. It allows attackers to inject malicious scripts through the Name parameter in the doAdd function, potentially leading to session hijacking and data theft.
If you are running JEEWMS versions 3.0, 3.1, 3.2, 3.3, 3.4, 3.5, 3.6, or 3.7, you are potentially affected by this vulnerability. Check your JEEWMS version and apply the recommended mitigations.
Upgrade to a patched version of JEEWMS. As a workaround, implement strict input validation and sanitization on the Name parameter and consider using a WAF with XSS protection.
While no active campaigns have been publicly reported, the vulnerability has been publicly disclosed, increasing the risk of exploitation. Proactive mitigation is highly recommended.
As of the current disclosure, erzhongxmu has not released an official advisory. Refer to the National Vulnerability Database (NVD) entry for CVE-2026-3028 for more information: https://nvd.nist.gov/vuln/detail/CVE-2026-3028
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.