CVE-2026-10153: Cross-Site Scripting in westboy CicadasCMS Search Function
A cross-site scripting (XSS) vulnerability has been identified in westboy CicadasCMS. The flaw exists in the Search function and can be exploited by manipulating a specific argument to inject malicious scripts. An attacker can send a crafted request to a vulnerable instance to execute arbitrary JavaScript in the context of other users' browsers, potentially stealing session data, credentials, or performing actions on their behalf. Exploitation requires user interaction (such as clicking a malicious link) but does not require authentication. A proof-of-concept has already been published, increasing practical risk.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
- Weaknesses (CWE)
- CWE-79, CWE-94
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-30 / 2026-06-17
NVD description (verbatim)
A flaw has been found in westboy CicadasCMS up to 2431154dac8d0735e04f1fd2a3c3556668fc8dab. Impacted is the function Search of the file org/springframework/cache/support/AbstractCacheManager.java. This manipulation of the argument s causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been published and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The project was informed of the problem early through an issue report but has not responded yet.
5 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10153 is a reflected cross-site scripting vulnerability in the Search function of org/springframework/cache/support/AbstractCacheManager.java within westboy CicadasCMS (up to commit 2431154dac8d0735e04f1fd2a3c3556668fc8dab). The vulnerability stems from insufficient input sanitization on the 's' argument, allowing an attacker to inject arbitrary HTML and JavaScript. The attack vector is network-based with low attack complexity; no special privileges are required. The CVSS v3.1 score of 4.3 (MEDIUM) reflects the moderate scope of impact: integrity is compromised through client-side script execution, but confidentiality and availability are not directly affected. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-94 (Improper Control of Generation of Code).
Business impact
While the CVSS score is MEDIUM, the business impact depends on the deployment context. For public-facing search functionality, attackers can craft URLs to steal session tokens, redirect users to phishing sites, or deface application content. Organizations running CicadasCMS that expose the Search feature to untrusted users face reputational risk and potential compliance violations (GDPR, HIPAA, PCI-DSS) if user data is compromised. The public availability of exploit code accelerates the timeline for attack attempts. Internal-only deployments face lower risk if access is properly restricted.
Affected systems
This vulnerability affects westboy CicadasCMS up to and including commit 2431154dac8d0735e04f1fd2a3c3556668fc8dab. CicadasCMS uses a rolling release model without traditional versioned releases, making version identification challenging. Organizations should verify their exact commit hash or deployment date against the vendor's repository history. Any instance with the vulnerable Search function exposed is at risk, particularly if it handles external user input or is accessible from untrusted networks.
Exploitability
Exploitation is relatively straightforward and does not require special privileges or credentials. An attacker crafts a malicious URL embedding JavaScript payload in the Search parameter and sends it to a target user via email, social media, or forums. Once the target clicks the link, the payload executes in their browser with their session privileges. Published exploit code lowers the barrier to entry for less-skilled attackers. The attack is reliable across different browsers and does not depend on specific system configurations. User interaction (clicking a link) is the primary requirement, which is feasible in real-world phishing campaigns.
Remediation
Immediate action: Apply input validation and output encoding to the Search function. Sanitize the 's' argument by removing or escaping HTML special characters before rendering in the response. Implement a Content Security Policy (CSP) to restrict inline script execution. Long-term: Update to a patched commit once the vendor releases a fix. CicadasCMS maintainers should be monitored for a response to the early issue report. Organizations unable to patch immediately should restrict access to the Search feature via firewall rules, reverse proxy authentication, or temporary disabling if non-critical.
Patch guidance
CicadasCMS follows a rolling release model without traditional version numbers. Verify the current commit hash of your deployment. Monitor the westboy CicadasCMS repository for commits that address this vulnerability after the vendor responds to the issue report. Once a patched commit is released, update your deployment and validate that the Search function properly sanitizes input. Testing should include attempts to inject common XSS payloads (e.g., <script>alert('XSS')</script>) to confirm the fix is effective.
Detection guidance
Monitor web server logs for Search requests containing suspicious patterns: encoded characters (%3c, %3e, %22), script tags, event handlers (onload, onerror, onclick), or Base64-encoded payloads. Implement Web Application Firewall (WAF) rules to block requests with XSS signatures. Check browser console logs and network traffic for unexpected external script loads. Search application logs for exceptions or errors triggered by malformed input. Correlate user session activity with suspicious Search parameters to identify compromised sessions. Endpoint Detection and Response (EDR) tools may flag unusual JavaScript execution on user workstations if an attack succeeds.
Why prioritize this
This vulnerability should be prioritized based on deployment scope. If CicadasCMS is exposed to external users or handles sensitive data, patch within 30 days. The public availability of exploit code and the ease of exploitation elevate risk despite the MEDIUM CVSS score. Internal-only deployments with restricted access may have longer remediation windows (60–90 days) but should still be included in the patch cycle. The vendor's lack of response suggests no official patch is imminent; interim compensating controls are essential.
Risk score, explained
The CVSS v3.1 score of 4.3 reflects a network-accessible vulnerability with low attack complexity and no privilege requirements, but limited impact scope (user session integrity only). The score does not account for real-world factors: published exploit code, user interaction requirement (lowering barrier to targeting via phishing), and the potential for lateral movement or credential theft post-exploitation. Organizations handling PII, financial data, or critical infrastructure should treat this as HIGH priority despite the MEDIUM base score. The KEV program has not yet listed this vulnerability, indicating it is not yet observed in active exploitation at scale.
Frequently asked questions
Does this vulnerability allow remote code execution on the server?
No. CVE-2026-10153 is a reflected XSS vulnerability that executes only in the user's browser, not on the server. An attacker gains the ability to execute JavaScript in the context of a user's session but cannot directly compromise the underlying CicadasCMS server or access the file system.
Do we need to patch if we have a WAF in front of our CicadasCMS instance?
A WAF can reduce risk by filtering XSS payloads, but it is not a substitute for patching. WAF rules may be bypassed with obfuscation techniques, and defense-in-depth requires both network and application-layer controls. Patch the application as soon as a fix is available.
How do we check which commit of CicadasCMS we are running?
Since CicadasCMS uses rolling releases, check the commit hash in your deployment's .git directory (git rev-parse HEAD) or look for version metadata in configuration or build artifacts. Compare against the vulnerable commit (2431154dac8d0735e04f1fd2a3c3556668fc8dab). If you are on a commit after this hash, verify that the vulnerability has been fixed by testing XSS payloads in the Search function.
Is there an official patch from westboy yet?
As of the last update, the vendor was informed early but has not yet responded publicly. No official patched version has been released. Monitor the westboy CicadasCMS repository and security advisories for updates. In the interim, apply the remediation guidance (input validation, output encoding, WAF rules) to reduce risk.
This analysis is provided for informational purposes to support vulnerability management decision-making. SEC.co makes no warranty regarding the accuracy or completeness of this information and disclaims liability for any reliance thereon. Organizations must independently verify affected versions, validate patches, and conduct security testing in their environments. Threat intelligence and CVSS scores are subject to change as new information emerges. Always consult official vendor advisories and security bulletins before deploying patches to production systems. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10173MEDIUMCross-Site Scripting in Orthanc Explorer 2 – Patch Guidance & Detection
- CVE-2026-10289MEDIUMXSS Vulnerability in Hotel and Tourism Reservation System 1.0
- CVE-2026-10301MEDIUMReflected XSS in itsourcecode Fees Management System 1.0 – Exploit Public
- CVE-2026-10810MEDIUMCross-Site Scripting in itsourcecode Fees Management System v1.0
- CVE-2026-10112LOWXSS in STUDENT-MANAGEMENT-SYSTEM 1.0 Dashboard
- CVE-2026-10228LOWXSS Vulnerability in raisulislamg4 Student Management System
- CVE-2026-10234LOWMettle Sendportal XSS Vulnerability – Campaign Handler Remote Exploit
- CVE-2026-10244LOWSourceCodester Pharmacy Sales and Inventory System XSS Vulnerability