Platform
javascript
Component
notice-form-drawer-vue
Fixed in
3.0.1
3.1.1
3.2.1
3.3.1
3.4.1
3.5.1
3.6.1
3.7.1
3.8.1
3.9.1
3.10.1
3.11.1
3.12.1
3.13.1
3.14.1
3.15.1
3.16.1
3.17.1
3.18.1
3.19.1
3.20.1
3.21.1
3.22.1
3.23.1
3.24.1
3.25.1
3.26.1
3.27.1
3.28.1
3.29.1
3.0.1
3.1.1
3.2.1
3.3.1
3.4.1
3.5.1
3.6.1
3.7.1
3.8.1
3.9.1
3.10.1
3.11.1
3.12.1
3.13.1
3.14.1
3.15.1
3.16.1
3.17.1
3.18.1
3.19.1
3.20.1
3.21.1
3.22.1
3.23.1
3.24.1
3.25.1
3.26.1
3.27.1
3.28.1
3.29.1
CVE-2026-3720 describes a cross-site scripting (XSS) vulnerability discovered in 1024-lab SmartAdmin versions 3.0 through 3.29. This flaw impacts the Notice Module, specifically the notice-form-drawer.vue component, allowing attackers to inject malicious scripts. A public proof-of-concept exists, indicating a potential for active exploitation. Mitigation involves upgrading to a patched version when available.
Successful exploitation of CVE-2026-3720 allows an attacker to inject arbitrary JavaScript code into the context of a user's browser session within the SmartAdmin application. This can lead to various malicious outcomes, including session hijacking, credential theft, and defacement of the application's user interface. The attacker could potentially steal sensitive data entered by users within the Notice Module, such as internal communications or project updates. Given the web-based nature of the application, the blast radius extends to any user accessing the vulnerable component, potentially impacting a wide range of individuals within an organization.
CVE-2026-3720 has a LOW CVSS score of 3.5. A public proof-of-concept has been released, indicating a moderate risk of exploitation. The vulnerability was disclosed on 2026-03-08, and the vendor has not yet responded. Active exploitation is possible given the availability of a PoC.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-3720 is to upgrade to a patched version of 1024-lab SmartAdmin. As of the publication date, no patch has been released. Until a patch is available, consider implementing input validation and output encoding on the notice-form-drawer.vue component to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a layer of protection. Monitor application logs for suspicious activity, such as unusual JavaScript execution patterns.
Update SmartAdmin to a version later than 3.9. If no version is available, review the code in smart-admin-web-javascript/src/views/business/oa/notice/components/notice-form-drawer.vue and fix the XSS vulnerabilities. Ensure you escape or sanitize user inputs before rendering them on the page.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-3720 is a cross-site scripting (XSS) vulnerability affecting 1024-lab SmartAdmin versions 3.0–3.29, allowing attackers to inject malicious scripts via the Notice Module.
If you are using 1024-lab SmartAdmin versions 3.0 through 3.29, you are potentially affected by this vulnerability. Check your version and upgrade when a patch is available.
The recommended fix is to upgrade to a patched version of 1024-lab SmartAdmin. Until a patch is released, implement input validation and output encoding.
A public proof-of-concept exists, indicating a potential for active exploitation. Monitor your application for suspicious activity.
As of the publication date, no official advisory has been released by 1024-lab. Monitor their website and security mailing lists for updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.