CVE-2026-3028 identifies a cross-site scripting vulnerability in the erzhongxmu JEEWMS product, specifically affecting versions 3.0 through 3.7. The vulnerability resides in the doAdd method within the JeecgListDemoController.java source file, where the 'Name' parameter is not properly sanitized or encoded before being reflected in the web response. This allows an attacker to craft malicious input that, when submitted remotely, can execute arbitrary JavaScript in the context of the victim's browser. The attack vector is network accessible without requiring authentication, increasing the exposure. However, exploitation requires user interaction, such as clicking a malicious link or submitting a crafted form. The vulnerability impacts the confidentiality and integrity of user sessions by enabling theft of cookies, session tokens, or performing unauthorized actions on behalf of the user. The CVSS 4.0 base score is 5.3 (medium severity), reflecting the ease of remote exploitation balanced against the need for user interaction and limited impact on availability. Despite public disclosure, no official patches or vendor responses have been issued, leaving affected systems exposed. No known exploits in the wild have been reported yet, but the public availability of the vulnerability details increases the risk of future attacks.

The primary impact of CVE-2026-3028 is the compromise of user confidentiality and integrity through cross-site scripting attacks. Attackers can steal session cookies, perform actions on behalf of authenticated users, or deface web content, potentially damaging organizational reputation and user trust. While availability is not directly affected, successful exploitation could lead to secondary attacks such as phishing or malware delivery. Organizations relying on JEEWMS for enterprise workflow or content management may face data leakage or unauthorized access risks. The lack of vendor response and patches prolongs exposure, increasing the window for attackers to develop and deploy exploits. The medium severity rating indicates moderate risk, but the ease of remote exploitation without authentication makes it a significant concern for organizations with exposed JEEWMS instances, especially those accessible over the internet.

Since no official patches are available, organizations should implement immediate compensating controls. These include applying strict input validation and output encoding on the 'Name' parameter within the affected doAdd function to neutralize malicious scripts. Web application firewalls (WAFs) can be configured to detect and block typical XSS payloads targeting this endpoint. Restricting access to the JEEWMS application to trusted networks or VPNs reduces exposure to remote attackers. Educate users about the risks of clicking suspicious links or submitting untrusted input. Regularly monitor web server logs for unusual requests targeting the vulnerable function. Consider upgrading or migrating to alternative solutions if vendor support remains absent. Finally, implement Content Security Policy (CSP) headers to limit the impact of any successful script injection by restricting script sources.