CVE-2026-29598 identifies multiple stored cross-site scripting (XSS) vulnerabilities within the submit_add_user.asp endpoint of DDSN Interactive Acora CMS version 10.7.1. The vulnerability arises because the application fails to properly sanitize or encode user-supplied input in the First Name and Last Name parameters before storing and subsequently rendering it in web pages. An attacker with authenticated access can inject crafted malicious JavaScript or HTML payloads into these parameters. When other users or administrators view the affected pages, the injected scripts execute in their browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed with the victim’s privileges. The CVSS 3.1 base score is 5.4 (medium severity), reflecting that exploitation requires low complexity but does require privileges and user interaction. The scope is changed (S:C), indicating that the vulnerability affects components beyond the initially vulnerable code, possibly impacting other users or systems. No patches or known exploits are currently available, but the vulnerability is publicly disclosed and should be addressed promptly. This vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation, a common vector for XSS attacks.

The primary impact of this vulnerability is on the confidentiality and integrity of user data and sessions within affected organizations. Successful exploitation can allow attackers to execute arbitrary scripts in the context of the vulnerable web application, leading to session hijacking, theft of sensitive information, or unauthorized actions performed on behalf of legitimate users. While availability is not directly affected, the reputational damage and potential data breaches can have significant operational and financial consequences. Organizations relying on DDSN Interactive Acora CMS for critical web services or user management may face increased risk of targeted attacks, especially if administrative users are tricked into executing malicious payloads. The requirement for authentication and user interaction somewhat limits the attack surface but does not eliminate risk, particularly in environments with many users or weak access controls.

To mitigate this vulnerability, organizations should implement strict input validation and output encoding on all user-supplied data, especially in the First Name and Last Name fields within the submit_add_user.asp endpoint. Employ context-aware encoding (e.g., HTML entity encoding) to neutralize malicious scripts before rendering. Restrict user privileges to the minimum necessary to reduce the risk of authenticated attackers injecting payloads. Monitor and audit user input fields for suspicious content. Employ Content Security Policy (CSP) headers to limit the impact of potential XSS payloads by restricting script sources. Since no official patches are currently available, consider temporary workarounds such as disabling or restricting access to the vulnerable endpoint or using web application firewalls (WAFs) with custom rules to detect and block malicious input patterns. Stay alert for vendor updates or patches and apply them promptly once released.