Plattform
php
Behoben in
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
CVE-2026-2934 describes a cross-site scripting (XSS) vulnerability discovered in YiFang CMS versions 2.0.0 through 2.0.5. This flaw resides within the Extended Management Module, specifically in the file app/db/admin/D_friendLinkGroup.php. Exploitation involves manipulating the 'Name' argument, potentially allowing attackers to execute arbitrary JavaScript code in a victim's browser, leading to session hijacking or defacement. The vulnerability is remotely exploitable and has been publicly disclosed.
Successful exploitation of CVE-2026-2934 allows an attacker to inject malicious JavaScript code into the YiFang CMS application. This code can then be executed in the context of a user's browser when they visit a vulnerable page. The impact ranges from simple defacement of the website to more severe consequences like session hijacking, where an attacker gains control of a legitimate user's account. Furthermore, attackers could potentially steal sensitive information, such as cookies or authentication tokens. The remote accessibility of this vulnerability significantly broadens the attack surface, making it a potential target for automated scanning and exploitation.
CVE-2026-2934 has been publicly disclosed, increasing the likelihood of exploitation. While the CVSS score is LOW (2.4), the ease of exploitation and potential impact warrant attention. There is no indication of active campaigns targeting this vulnerability at the time of writing, but the public disclosure makes it a potential target for opportunistic attackers. The vulnerability was published on 2026-02-22.
Websites and applications utilizing YiFang CMS versions 2.0.0 through 2.0.5 are at risk. Specifically, sites with publicly accessible admin panels or those allowing user-supplied input to be stored in the database without proper sanitization are particularly vulnerable. Shared hosting environments running YiFang CMS are also at increased risk due to potential cross-tenant vulnerabilities.
• wordpress / composer / npm:
grep -r "D_friendLinkGroup.php" /var/www/yi-fang-cms/• generic web:
curl -I https://example.com/app/db/admin/D_friendLinkGroup.php | grep -i "X-Powered-By: PHP"disclosure
Exploit-Status
EPSS
0.03% (7% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-2934 is to upgrade YiFang CMS to a version that includes a fix for this vulnerability. Unfortunately, the input does not specify a fixed version. As a temporary workaround, implement strict input validation and sanitization on the 'Name' parameter within the app/db/admin/D_friendLinkGroup.php file. Consider using a Web Application Firewall (WAF) with XSS filtering rules to block malicious requests. Regularly review and update CMS plugins and extensions to ensure they are free from known vulnerabilities. After applying the mitigation, thoroughly test the application to confirm that the vulnerability has been effectively addressed.
Aktualisieren Sie YiFang CMS auf eine Version nach 2.0.5, die die Cross-Site Scripting (XSS) Schwachstelle im Extended Management Modul behebt. Konsultieren Sie die Website des Anbieters für die neueste Version und die Update-Anweisungen. Als vorübergehende Maßnahme validieren und escapen Sie Benutzereingaben im Parameter 'Name' in der Datei app/db/admin/D_friendLinkGroup.php.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-2934 is a cross-site scripting (XSS) vulnerability affecting YiFang CMS versions 2.0.0–2.0.5. It allows attackers to inject malicious scripts by manipulating the 'Name' argument in a specific file.
If you are using YiFang CMS versions 2.0.0 through 2.0.5, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as possible.
Upgrade YiFang CMS to a version that includes a fix for this vulnerability. Until then, implement input validation and consider using a WAF.
While there's no confirmed active exploitation, the public disclosure increases the risk of exploitation by opportunistic attackers.
Refer to the official YiFang CMS website or security advisories for the latest information and updates regarding CVE-2026-2934.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.