CVE Catalog

CVE-2026-29598

MediumCVSS 5.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.17%

7th percentile - higher than 7% of all known CVEs

Summary

Multiple stored cross-site scripting (XSS) vulnerabilities were discovered in the submit_add_user.asp endpoint of DDSN Interactive Acora CMS v10.7.1. Attackers can inject malicious JavaScript or HTML payloads into the First Name and Last Name parameters, leading to script execution in other users' browsers.

Risk Assessment

The risk includes session theft, administrator account takeover, or sensitive data leakage through arbitrary script execution within the application context. This can be leveraged for further privilege escalation within the organization.

Recommendation

Immediately upgrade Acora CMS to the latest patched version. As a temporary measure, implement input validation and sanitization for the First Name and Last Name parameters, and enforce a Content Security Policy (CSP).

Original NVD description (English source)

Multiple stored cross-site scripting (XSS) vulnerabilities in the submit_add_user.asp endpoint of DDSN Interactive Acora CMS v10.7.1 allow attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the First Name and Last Name parameters.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS