Can you explain this vulnerability to me?

CVE-2026-36763 is a stored cross-site scripting (XSS) vulnerability in the /api/blade-desk/notice/submit endpoint of SpringBlade version 4.8.0 and earlier.

Attackers can exploit this vulnerability by injecting crafted input containing malicious JavaScript or HTML into the content parameter. The vulnerability arises because the filtering mechanism (XssHtmlFilter) is applied to the raw JSON body before deserialization, which fails to detect Unicode escape sequences representing HTML tags. After deserialization, these escapes are converted into actual HTML, which is stored in the database and later executed in the victim's browser.

This flaw allows attackers to bypass the XSS filter and inject arbitrary scripts that execute automatically when rendered, potentially affecting users who view the malicious content.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This stored XSS vulnerability can have several impacts:

• Attackers can execute arbitrary JavaScript in the context of the victim's browser.
• It enables session hijacking, allowing attackers to steal user sessions.
• Privilege escalation is possible by sending malicious notices from low-privilege users to high-privilege users such as administrators.
• Attackers can perform arbitrary API executions by leveraging the injected scripts.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by testing the /api/blade-desk/notice/submit endpoint for stored cross-site scripting (XSS) by injecting crafted inputs into the content parameter that use JSON Unicode escape sequences (e.g., \u003cimg src=x onerror=alert(1)\u003e). Observing if the injected script executes when the content is rendered indicates the presence of the vulnerability.

A practical approach is to send a crafted HTTP POST request with a JSON body containing the content parameter set to a payload with Unicode escapes representing HTML/JavaScript tags. For example, using curl:

• curl -X POST https://[target]/api/blade-desk/notice/submit -H 'Content-Type: application/json' -d '{"content":"\u003cimg src=x onerror=alert(1)\u003e"}'

If the alert or script executes when the content is viewed in the application, the vulnerability exists.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include avoiding filtering raw JSON bodies as HTML and instead sanitizing the content parameter after JSON deserialization.

Use a proven HTML sanitization library such as OWASP Java HTML Sanitizer or jsoup to clean the content field before storing or rendering it.

Additionally, ensure proper output encoding on the frontend when rendering the content to prevent execution of injected scripts.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The stored cross-site scripting (XSS) vulnerability in SpringBlade v4.8.0 allows attackers to execute arbitrary scripts in the context of other users, potentially leading to session hijacking, privilege escalation, and unauthorized API execution.

Such exploitation can result in unauthorized access to sensitive user data or administrative functions, which may violate data protection requirements under regulations like GDPR and HIPAA that mandate safeguarding personal and sensitive information against unauthorized access and attacks.

Therefore, this vulnerability poses a risk to compliance with these standards by undermining the confidentiality and integrity of protected data through client-side script injection and subsequent unauthorized actions.

Useful 0 Not Useful 0