The vulnerability identified as CVE-2026-29840 affects JiZhiCMS versions 2.5.6 and earlier. It is a stored Cross-Site Scripting (XSS) flaw located in the release function within the app/home/c/UserController.php file. The root cause is insufficient input sanitization: while the application attempts to filter out <script> tags from user input, it does not recursively sanitize other HTML elements that can carry malicious event handlers, such as 'onerror' attributes in <img> tags. This incomplete sanitization allows an authenticated remote attacker to inject arbitrary JavaScript or HTML code into the 'body' parameter of a POST request to the /user/release.html endpoint. Because the malicious payload is stored, it can be served to other users or the attacker themselves, leading to script execution in their browsers. The vulnerability impacts confidentiality and integrity by enabling session hijacking, credential theft, or unauthorized actions performed on behalf of users. The CVSS vector (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) indicates network attack vector, low attack complexity, requires privileges (authenticated user), requires user interaction, and affects confidentiality and integrity with no impact on availability. No patches or known exploits are currently reported, but the vulnerability is publicly disclosed, increasing the risk of future exploitation.

If exploited, this stored XSS vulnerability could allow attackers to execute arbitrary scripts in the context of authenticated users, potentially leading to session hijacking, theft of sensitive information, or unauthorized actions within the application. Since the vulnerability requires authentication, the attacker must have valid credentials, limiting exposure to internal or compromised users. However, the scope of impact includes any organization using JiZhiCMS versions 2.5.6 or earlier, especially those with multiple users or administrators who might be targeted. The vulnerability could facilitate lateral movement within an organization or compromise user trust. Although no availability impact is noted, the confidentiality and integrity risks are significant enough to warrant prompt remediation. The lack of known exploits currently reduces immediate risk but does not eliminate the threat, especially as the vulnerability is publicly documented.

Organizations should immediately review and upgrade JiZhiCMS to a version that addresses this vulnerability once available. In the absence of an official patch, implement additional input validation and sanitization on the server side, ensuring recursive removal of all potentially dangerous HTML attributes, including event handlers like 'onerror'. Employ a robust web application firewall (WAF) configured to detect and block malicious payloads targeting XSS vectors. Limit user privileges to the minimum necessary to reduce the risk of authenticated attackers exploiting this flaw. Conduct regular security audits and penetration testing focusing on input validation mechanisms. Educate users about the risks of clicking on suspicious links or executing unexpected scripts. Monitor application logs for unusual POST requests to /user/release.html and anomalous user behavior that may indicate exploitation attempts.