# CVE-2026-36358 PoC - Juzaweb CMS v.5.0.0 （XSS）

First, set up the platform normally and register an account. Here, the administrator account I registered is `123@123.com` / `123456`.

After setting up the platform, you can see the website homepage.

<img width="1211" height="732" alt="image" src="https://github.com/user-attachments/assets/46c907ac-216e-4922-ae2b-5a8f2760f4bd" />


Access `/admin` and log in.

<img width="1210" height="726" alt="image" src="https://github.com/user-attachments/assets/58157d5a-fe36-4b32-b903-b2bdab3b3c18" />


After logging in, you will enter the admin backend dashboard.

<img width="1207" height="707" alt="image" src="https://github.com/user-attachments/assets/4d8fc83c-adb7-4ac8-acef-b8cda0a4cbe4" />


Navigate to the `/admin/banner-ads` route and click "Add Banner" to go to the ad creation page.

<img width="1200" height="707" alt="image" src="https://github.com/user-attachments/assets/94770c8a-6a32-4697-9f10-1b469c1aee2f" />


Change the Type to "HTML" and insert the malicious XSS code into the Body field.

<img width="1203" height="720" alt="image" src="https://github.com/user-attachments/assets/4cf4f4e4-eda4-4899-b310-6b939df625b4" />


If you encounter an error like this:

<img width="297" height="76" alt="image" src="https://github.com/user-attachments/assets/de263fb8-9054-4b29-ac21-3c73ca3a49d0" />


Go back to the "Image" Type and enter any URL in the URL field.

<img width="1209" height="720" alt="image" src="https://github.com/user-attachments/assets/d87d7468-4733-40b7-84e3-258542a09780" />


After successfully adding the ad, you can see it is active/running.

<img width="1198" height="697" alt="image" src="https://github.com/user-attachments/assets/defe291f-8e1e-402d-8e81-86d29a65de6d" />


Now, return to the homepage. The alert box will pop up, demonstrating the XSS vulnerability.

<img width="1205" height="710" alt="image" src="https://github.com/user-attachments/assets/9c789b03-2e21-4562-9dbc-cfad2ec94c32" />