平台
java
组件
jeewms
修复版本
3.0.1
3.1.1
3.2.1
3.3.1
3.4.1
3.5.1
3.6.1
3.7.1
CVE-2026-3028 is a cross-site scripting (XSS) vulnerability discovered in JEEWMS versions 3.0 to 3.7. This flaw resides within the doAdd function of the JeecgListDemoController.java file, allowing attackers to inject malicious scripts through manipulation of the Name argument. The vulnerability is remotely exploitable and has been publicly disclosed, highlighting the urgency of remediation.
Successful exploitation of CVE-2026-3028 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session on the JEEWMS application. This can lead to a variety of malicious actions, including session hijacking, credential theft, and defacement of the application's user interface. An attacker could potentially gain access to sensitive data stored within JEEWMS, such as user information, financial records, or other confidential data. The impact is amplified if JEEWMS is integrated with other systems, as the attacker could potentially use this vulnerability as a stepping stone to compromise other parts of the infrastructure.
CVE-2026-3028 has been publicly disclosed, increasing the likelihood of exploitation. The vulnerability's severity is rated as medium (CVSS 4.3). No specific exploit campaigns or actor attribution have been publicly reported at this time. The vulnerability was disclosed to the vendor, erzhongxmu, but they did not respond. Refer to the NVD entry published on 2026-02-23 for further details.
漏洞利用状态
EPSS
0.03% (8% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-3028 is to upgrade JEEWMS to a patched version. Unfortunately, a fixed version is not currently specified. As a temporary workaround, implement strict input validation and sanitization on the Name parameter within the doAdd function. This can be achieved by using a web application firewall (WAF) with XSS protection rules or by implementing custom filtering logic. Additionally, consider implementing Content Security Policy (CSP) to restrict the sources from which scripts can be executed, limiting the potential impact of a successful XSS attack. Regularly review and update JEEWMS configuration to ensure best practices are followed.
将 JEEWMS 更新到 3.7 以上的版本,以修复 JeecgListDemoController.java 文件中 doAdd 函数的跨站脚本 (Cross-Site Scripting, XSS) 漏洞。请参阅版本说明或变更日志以获取有关特定修复的更多详细信息。如果不存在已修复的版本,请考虑实施缓解措施,例如验证和清理用户输入,以防止恶意代码注入。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-3028 is a cross-site scripting (XSS) vulnerability affecting JEEWMS versions 3.0 through 3.7. It allows attackers to inject malicious scripts through the Name parameter in the doAdd function, potentially leading to session hijacking and data theft.
If you are running JEEWMS versions 3.0, 3.1, 3.2, 3.3, 3.4, 3.5, 3.6, or 3.7, you are potentially affected by this vulnerability. Check your JEEWMS version and apply the recommended mitigations.
Upgrade to a patched version of JEEWMS. As a workaround, implement strict input validation and sanitization on the Name parameter and consider using a WAF with XSS protection.
While no active campaigns have been publicly reported, the vulnerability has been publicly disclosed, increasing the risk of exploitation. Proactive mitigation is highly recommended.
As of the current disclosure, erzhongxmu has not released an official advisory. Refer to the National Vulnerability Database (NVD) entry for CVE-2026-3028 for more information: https://nvd.nist.gov/vuln/detail/CVE-2026-3028
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。
上传你的 pom.xml 文件,立即知道是否受影响。