CVE-2026-29840

Name of the Vulnerable Software and Affected Versions JiZhiCMS versions 2.5.6 and earlier

Description The software contains a Stored Cross-Site Scripting (XSS) issue in the release function within the app/home/c/UserController.php file. The application attempts to sanitize input by filtering <script> tags, but it does not recursively remove dangerous event handlers in other HTML tags, such as onerror in <img> tags. This allows a remote attacker with authentication to inject arbitrary web script or HTML through the body parameter in a POST request to the /user/release.html API endpoint.

Recommendations Versions prior to 2.5.6 should be updated.