CVE-2026-29598
MediumCVSS 5.4Exploitation Probability (EPSS)
Low risk7th percentile - higher than 7% of all known CVEs
Summary
Multiple stored cross-site scripting (XSS) vulnerabilities were discovered in the submit_add_user.asp endpoint of DDSN Interactive Acora CMS v10.7.1. Attackers can inject malicious JavaScript or HTML payloads into the First Name and Last Name parameters, leading to script execution in other users' browsers.
Risk Assessment
The risk includes session theft, administrator account takeover, or sensitive data leakage through arbitrary script execution within the application context. This can be leveraged for further privilege escalation within the organization.
Recommendation
Immediately upgrade Acora CMS to the latest patched version. As a temporary measure, implement input validation and sanitization for the First Name and Last Name parameters, and enforce a Content Security Policy (CSP).
Original NVD description (English source)
Multiple stored cross-site scripting (XSS) vulnerabilities in the submit_add_user.asp endpoint of DDSN Interactive Acora CMS v10.7.1 allow attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the First Name and Last Name parameters.

