CVE-2026-10153 westboy CVE debrief

Who should care

Organizations running westboy CicadasCMS instances, particularly those exposing search functionality to untrusted users. Security teams monitoring for XSS exposure in Java-based content management systems. Developers maintaining forked or customized versions of CicadasCMS.

Technical summary

The vulnerability exists in the Search function within org/springframework/cache/support/AbstractCacheManager.java of westboy CicadasCMS. The 's' parameter is insufficiently sanitized, allowing injection of executable scripts. Remote exploitation is possible with user interaction required. The CVSS 4.0 vector is AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P. The product follows continuous delivery without discrete version numbering, complicating patch tracking.

Defensive priority

low

Recommended defensive actions

• Review and sanitize all user-supplied input to the Search function, particularly the 's' parameter, implementing proper output encoding before rendering in HTML contexts
• Deploy Content Security Policy (CSP) headers to mitigate impact of any XSS vulnerabilities in the application
• Monitor the Gitee issue tracker for vendor response or patch availability
• Consider implementing additional input validation layers such as allowlists for expected search term patterns
• Review application logs for anomalous search requests containing script tags or encoded JavaScript payloads

Evidence notes

The vulnerability was reported through a Gitee issue (IJKWOH) and documented by VulDB. The CNA-assigned CVSS 4.0 vector indicates network attack vector with low attack complexity, no privileges required, and user interaction required. The vulnerability is classified under CWE-79 (Cross-site Scripting) and CWE-94 (Code Injection). The NVD status is 'Received' as of publication. Vendor identification is marked low confidence with Gitee as the reference domain candidate.

Official resources