LOW 2.4

CVE-2026-10529: westboy CicadasCMS XSS in Task Scheduling Module

A cross-site scripting (XSS) vulnerability has been discovered in westboy CicadasCMS affecting the Task Scheduling Management Module. The flaw exists in the ScheduleJobController component and can be triggered by an authenticated user with elevated privileges through a specially crafted request. While the vulnerability requires administrative or high-privilege access to exploit, the presence of user interaction (rendering) combined with public availability of exploit details elevates attention. The CMS uses a rolling release model, making definitive version tracking difficult, though the affected commit hash has been identified.

Source data · NVD / CISA · public domain

CVSS
3.1 · 2.4 LOW · CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N
Weaknesses (CWE)
CWE-79, CWE-94
Affected products
0 configuration(s)
Published / Modified
2026-06-02 / 2026-06-17

NVD description (verbatim)

A weakness has been identified in westboy CicadasCMS up to 2431154dac8d0735e04f1fd2a3c3556668fc8dab. Impacted is an unknown function of the file src/main/java/com/zhiliao/module/web/system/ScheduleJobController.java of the component Task Scheduling Management Module. Executing a manipulation can lead to cross site scripting. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The project was informed of the problem early through an issue report but has not responded yet.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10529 is a stored or reflected XSS vulnerability (CWE-79) located in src/main/java/com/zhiliao/module/web/system/ScheduleJobController.java. The vulnerability also exhibits characteristics of code injection (CWE-94), suggesting unsafe handling of user-supplied input without proper sanitization or output encoding in the task scheduling interface. The vulnerability requires network access and can be executed by authenticated users with high privilege levels. No authentication bypass or privilege escalation is indicated, limiting the attack surface to administrators or similarly trusted roles. The CVSS 3.1 score of 2.4 (LOW severity) reflects the requirement for high-privilege user involvement and the limited scope of impact to integrity only.

Business impact

Business impact is contained due to privilege requirements, but should not be dismissed. An attacker with administrative credentials or who compromises a high-privilege account could deface or inject malicious content into the task scheduling interface, potentially affecting automated job visibility or audit logs viewed by other administrators. In multi-tenant or shared CMS environments, this could be leveraged for privilege escalation scenarios or lateral movement. The lack of vendor response to the early disclosure adds uncertainty about patch timeline.

Affected systems

westboy CicadasCMS is affected up to commit 2431154dac8d0735e04f1fd2a3c3556668fc8dab. The project operates on a rolling release model without discrete version numbers, making traditional version-based tracking impractical. Organizations must identify deployments by commit hash or build date. The exact scope of downstream projects or distributions using CicadasCMS is unclear from available data.

Exploitability

Exploitability is moderate in practice despite the low CVSS score. Public exploit code is available, lowering the barrier to weaponization. However, the attack requires high-privilege user interaction—an attacker must either authenticate as an administrator or trick one into clicking a malicious link. The CVSS vector AV:N/AC:L/PR:H/UI:R reflects this: network-accessible but gated by administrative credentials and user action. Real-world exploitation likelihood depends on the maturity and trustworthiness of administrative teams.

Remediation

Remediation requires either patching or restricting access to the affected component. Since CicadasCMS uses rolling releases and the vendor has not yet responded to the early disclosure, no official patch version can be recommended. Organizations should: (1) contact the westboy project directly for status, (2) apply input validation and output encoding fixes locally if capable, (3) restrict access to the Task Scheduling Management Module to trusted administrators only, and (4) monitor for indicators of exploitation. If a patch is released, update to the latest commit hash after vendor confirmation.

Patch guidance

No official patch has been released as of the latest information. Verify directly with the westboy CicadasCMS project for patch availability and recommended commit hash or build. Given the rolling release model, monitor the project repository for security commits. Once patched, organizations should test thoroughly in a staging environment before production deployment, as task scheduling modules are often critical to CMS automation.

Detection guidance

Monitor for XSS-related payloads in request parameters to the ScheduleJobController endpoint (commonly /api/schedule or similar paths depending on deployment). Log all access to the Task Scheduling Management Module by administrative users, focusing on unusual parameter values or encoded JavaScript. Look for changes to scheduled job configurations immediately after new administrator logins or from unfamiliar IP addresses. Web application firewalls (WAF) should block common XSS patterns (script tags, event handlers) at the application-level input validation.

Why prioritize this

Despite the LOW CVSS score, this vulnerability warrants prompt attention in organizations running westboy CicadasCMS because: (1) public exploit code reduces attacker skill requirements, (2) the vendor has not yet responded, leaving patch timeline uncertain, (3) task scheduling modules often run with high privileges and affect business-critical automation, and (4) administrative compromise could lead to broader lateral movement. Organizations should prioritize inventory and assessment over panic-driven patching.

Risk score, explained

The CVSS 3.1 score of 2.4 reflects: low attack complexity (standard XSS delivery), network accessibility (no special network position required), but mandatory high-privilege user involvement (PR:H) and required user interaction (UI:R). Impact is limited to integrity only (I:L) with no confidentiality or availability impact. The score appropriately penalizes the attack for its gating factors but does not fully account for the availability of public exploits or vendor non-responsiveness, which elevate operational risk beyond the base score.

Frequently asked questions

Does this vulnerability require me to have administrator credentials to exploit it?

Yes. The CVSS vector PR:H (High Privilege Required) means the attacker must authenticate as a user with administrative or equivalent elevated permissions, or the attack must trick an authenticated administrator into following a malicious link. This significantly limits the attack surface compared to unauthenticated vulnerabilities.

What is a rolling release model, and why does it complicate patching for CicadasCMS?

A rolling release model delivers updates continuously without discrete version numbers (1.0, 2.0, etc.), instead using commit hashes or build dates. This makes it harder for security teams to track which exact version they are running and when a patch is available. You must work directly with the vendor to identify the patched commit hash and verify your deployed hash against it.

Since this is rated LOW severity, should I deprioritize it?

Not entirely. While CVSS 3.1 reflects the technical constraints (privilege requirement, user interaction), the availability of public exploit code and vendor non-responsiveness increase practical risk. Treat it as a medium-priority inventory and assessment task: ensure you know if you run CicadasCMS, restrict administrative access further, and monitor for updates. Re-escalate if vendor guidance changes or if you are operating in a high-trust environment where administrative accounts are shared.

Can this vulnerability allow me to execute arbitrary code on the CMS server?

The vulnerability is classified as XSS with code injection characteristics (CWE-79 and CWE-94), suggesting script injection rather than remote code execution (RCE). The injected JavaScript runs in the context of the administrator's browser session, not on the server itself. However, depending on the CMS's architecture and what an authenticated administrator can do via the web interface, stored XSS could be a stepping stone to further attacks.

This analysis is based on the CVE record published on 2026-06-02 and last modified on 2026-06-17. No official patch version or vendor statement was available at publication time. Organizations should verify current patch status directly with westboy CicadasCMS maintainers. This page does not constitute security advice and should be supplemented with internal risk assessment, asset inventory, and threat modeling. SEC.co does not endorse any third-party exploit code or tools. Always test patches in a staging environment before production deployment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).