{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3720", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-03-07T12:21:13.011Z", "datePublished": "2026-03-08T07:02:13.355Z", "dateUpdated": "2026-03-11T14:47:11.911Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-08T07:02:13.355Z"}, "title": "1024-lab/lab1024 SmartAdmin Notice notice-form-drawer.vue cross site scripting", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "Cross Site Scripting"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "Code Injection"}]}], "affected": [{"vendor": "1024-lab", "product": "SmartAdmin", "versions": [{"version": "3.0", "status": "affected"}, {"version": "3.1", "status": "affected"}, {"version": "3.2", "status": "affected"}, {"version": "3.3", "status": "affected"}, {"version": "3.4", "status": "affected"}, {"version": "3.5", "status": "affected"}, {"version": "3.6", "status": "affected"}, {"version": "3.7", "status": "affected"}, {"version": "3.8", "status": "affected"}, {"version": "3.9", "status": "affected"}, {"version": "3.10", "status": "affected"}, {"version": "3.11", "status": "affected"}, {"version": "3.12", "status": "affected"}, {"version": "3.13", "status": "affected"}, {"version": "3.14", "status": "affected"}, {"version": "3.15", "status": "affected"}, {"version": "3.16", "status": "affected"}, {"version": "3.17", "status": "affected"}, {"version": "3.18", "status": "affected"}, {"version": "3.19", "status": "affected"}, {"version": "3.20", "status": "affected"}, {"version": "3.21", "status": "affected"}, {"version": "3.22", "status": "affected"}, {"version": "3.23", "status": "affected"}, {"version": "3.24", "status": "affected"}, {"version": "3.25", "status": "affected"}, {"version": "3.26", "status": "affected"}, {"version": "3.27", "status": "affected"}, {"version": "3.28", "status": "affected"}, {"version": "3.29", "status": "affected"}], "modules": ["Notice Module"]}, {"vendor": "lab1024", "product": "SmartAdmin", "versions": [{"version": "3.0", "status": "affected"}, {"version": "3.1", "status": "affected"}, {"version": "3.2", "status": "affected"}, {"version": "3.3", "status": "affected"}, {"version": "3.4", "status": "affected"}, {"version": "3.5", "status": "affected"}, {"version": "3.6", "status": "affected"}, {"version": "3.7", "status": "affected"}, {"version": "3.8", "status": "affected"}, {"version": "3.9", "status": "affected"}, {"version": "3.10", "status": "affected"}, {"version": "3.11", "status": "affected"}, {"version": "3.12", "status": "affected"}, {"version": "3.13", "status": "affected"}, {"version": "3.14", "status": "affected"}, {"version": "3.15", "status": "affected"}, {"version": "3.16", "status": "affected"}, {"version": "3.17", "status": "affected"}, {"version": "3.18", "status": "affected"}, {"version": "3.19", "status": "affected"}, {"version": "3.20", "status": "affected"}, {"version": "3.21", "status": "affected"}, {"version": "3.22", "status": "affected"}, {"version": "3.23", "status": "affected"}, {"version": "3.24", "status": "affected"}, {"version": "3.25", "status": "affected"}, {"version": "3.26", "status": "affected"}, {"version": "3.27", "status": "affected"}, {"version": "3.28", "status": "affected"}, {"version": "3.29", "status": "affected"}], "modules": ["Notice Module"]}], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in 1024-lab/lab1024 SmartAdmin up to 3.29. Impacted is an unknown function of the file smart-admin-web-javascript/src/views/business/oa/notice/components/notice-form-drawer.vue of the component Notice Module. The manipulation results in cross site scripting. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-03-07T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-03-07T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-03-07T13:26:25.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "din4 (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/?id.349663", "name": "VDB-349663 | 1024-lab/lab1024 SmartAdmin Notice notice-form-drawer.vue cross site scripting", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/?ctiid.349663", "name": "VDB-349663 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.765890", "name": "Submit #765890 | 1024-lab SmartAdmin \u22643.29 Stored Cross-Site Scripting (XSS)", "tags": ["third-party-advisory"]}, {"url": "https://www.notion.so/SmartAdmin-Stored-Cross-Site-Scripting-XSS-in-Notice-module-310ea92a3c41806ebcf0e5f82bf222da", "tags": ["exploit"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-11T14:47:03.544323Z", "id": "CVE-2026-3720", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T14:47:11.911Z"}}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lab1024:smartadmin:*:*:*:*:*:*:*:*", "matchCriteriaId": "155AADC4-CFDA-4FF3-A384-DB9020EF695E", "versionEndIncluding": "3.29", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in 1024-lab/lab1024 SmartAdmin up to 3.29. Impacted is an unknown function of the file smart-admin-web-javascript/src/views/business/oa/notice/components/notice-form-drawer.vue of the component Notice Module. The manipulation results in cross site scripting. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Se ha descubierto una falla de seguridad en 1024-lab/lab1024 SmartAdmin hasta la versi\u00f3n 3.29. Se ve afectada una funci\u00f3n desconocida del archivo smart-admin-web-javascript/src/views/business/oa/notice/components/notice-form-drawer.vue del componente M\u00f3dulo de Avisos. La manipulaci\u00f3n resulta en cross-site scripting. El ataque puede lanzarse remotamente. El exploit ha sido publicado al p\u00fablico y puede ser utilizado para ataques. El proveedor fue contactado con antelaci\u00f3n sobre esta divulgaci\u00f3n, pero no respondi\u00f3 de ninguna manera."}], "id": "CVE-2026-3720", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.0, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-03-08T08:15:59.943", "references": [{"source": "cna@vuldb.com", "tags": ["Permissions Required", "VDB Entry"], "url": "https://vuldb.com/?ctiid.349663"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?id.349663"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?submit.765890"}, {"source": "cna@vuldb.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.notion.so/SmartAdmin-Stored-Cross-Site-Scripting-XSS-in-Notice-module-310ea92a3c41806ebcf0e5f82bf222da"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-94"}], "source": "cna@vuldb.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.2"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.3"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.4"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.5"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.6"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.7"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.8"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.9"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.10"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.11"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.12"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.13"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.14"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.15"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.16"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.17"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.18"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.19"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.20"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.21"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.22"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.23"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.24"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.25"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.26"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.27"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.28"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.29"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "SmartAdmin", "source": "cna", "vendor": "1024-lab"}, "product": "smartadmin", "vendor": "1024-lab"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.2"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.3"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.4"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.5"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.6"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.7"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.8"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.9"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.10"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.11"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.12"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.13"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.14"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.15"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.16"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.17"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.18"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.19"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.20"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.21"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.22"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.23"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.24"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.25"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.26"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.27"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.28"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.29"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "SmartAdmin", "source": "cna", "vendor": "lab1024"}, "product": "smartadmin", "vendor": "lab1024"}], "analysis": {"en": {"generated_at": "2026-04-16T04:25:02.347544+00:00", "value": {"mitigation_remediation": ["Upgrade SmartAdmin to a patched version 3.30 or later when available.", "Implement input validation and output encoding for the Notice module to eliminate reflected scripts.", "Deploy a strict Content Security Policy that blocks unsafe scripts and limits script sources.", "If a patch is not yet available, disable the Notice module or block the vulnerable endpoint until remediation can be applied."], "summary": {"action": "Patch Now", "impact": "Cross Site Scripting"}, "threat_synthesis": {"affected_systems": "The vulnerability affects 1024\u2011lab and lab1024 SmartAdmin products up to version 3.29.", "description_and_impact": "A flaw in SmartAdmin version 3.29 and earlier allows an attacker to inject malicious scripts via the notice-form-drawer.vue component, leading to remote cross\u2011site scripting. The weakness is defined by CWE\u201179 and CWE\u201194 and can enable an attacker to execute arbitrary JavaScript in the victim\u2019s browser, compromising the confidentiality of session data and possibly allowing phishing or credential theft.", "risk_and_exploitability": "The CVSS base score is 5.1, indicating medium severity, and the EPSS score is below 1%, suggesting a low probability of exploitation in the wild. The flaw can be triggered remotely from a crafted request to the Notice module, and a public exploit has already been released. It is not currently listed in the CISA KEV catalog."}}}}, "created": "2026-03-09T10:03:25.671141+00:00", "updated": "2026-04-16T04:30:13.952269+00:00", "vendors": ["1024-lab", "1024-lab$PRODUCT$smartadmin", "lab1024", "lab1024$PRODUCT$smartadmin"]}