CVE-2026-29840 is a stored Cross-Site Scripting (XSS) vulnerability identified in JiZhiCMS version 2.5.6 and earlier. The vulnerability resides in the release function within the app/home/c/UserController.php file. The application attempts to sanitize user input by filtering out <script> tags; however, this sanitization is incomplete because it does not recursively remove dangerous event handler attributes embedded in other HTML tags, such as 'onerror' in <img> tags. This oversight allows an authenticated remote attacker to inject arbitrary HTML or JavaScript code via the 'body' parameter in a POST request to the /user/release.html endpoint. Because the malicious script is stored persistently on the server, it can execute whenever other users view the affected content, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of victims. The vulnerability requires the attacker to be authenticated, which limits exposure to some extent but does not eliminate risk, especially in environments where user accounts may be compromised or where insider threats exist. No public exploits have been reported yet, and no official patch or CVSS score is currently available. The vulnerability highlights a common pitfall in input sanitization where filtering only specific tags is insufficient to prevent XSS, emphasizing the need for comprehensive input validation and output encoding.

The impact of CVE-2026-29840 can be significant for organizations using JiZhiCMS, particularly those that allow multiple authenticated users to submit content via the vulnerable release function. Successful exploitation enables attackers to inject persistent malicious scripts that execute in the browsers of other users who view the compromised content. This can lead to session hijacking, theft of sensitive information such as cookies or credentials, unauthorized actions performed with victim privileges, and potential spread of malware. Since the vulnerability requires authentication, the risk is somewhat mitigated by limiting exploitation to users with accounts; however, in many CMS environments, user accounts may be numerous and have varying privilege levels, increasing the attack surface. The vulnerability could also facilitate privilege escalation if attackers leverage XSS to target administrative users. Additionally, organizations may suffer reputational damage and compliance issues if user data is compromised. The absence of a patch and public exploits means organizations should proactively address the issue before attackers develop weaponized payloads.

To mitigate CVE-2026-29840, organizations should first check for and apply any official patches or updates from JiZhiCMS once available. In the absence of patches, immediate steps include implementing strict input validation and output encoding on the 'body' parameter to ensure that all HTML tags and attributes, especially event handlers like 'onerror', are properly sanitized or removed. Employing a well-maintained HTML sanitizer library that recursively cleans input is recommended over simple tag filtering. Additionally, enforcing Content Security Policy (CSP) headers can help restrict the execution of unauthorized scripts in browsers. Restricting user privileges to the minimum necessary reduces the risk of exploitation by limiting which users can submit content. Monitoring logs for suspicious POST requests to /user/release.html and anomalous user behavior can help detect attempted exploitation. Finally, educating users about the risks of XSS and maintaining strong authentication controls will further reduce risk.