Plattform
php
Behoben in
2.0.6
CVE-2026-3742 describes a cross-site scripting (XSS) vulnerability discovered in YiFang CMS versions 2.0.5–2.0.5. This flaw allows an attacker to inject malicious scripts into the application, potentially compromising user sessions and data. The vulnerability resides in the update function of the app/db/admin/D_singlePage.php file, specifically through manipulation of the Title argument. A public exploit is now available.
Successful exploitation of CVE-2026-3742 enables an attacker to execute arbitrary JavaScript code within the context of a user's browser session on the YiFang CMS website. This can lead to various malicious actions, including session hijacking, defacement of the website, redirection to phishing sites, and theft of sensitive user data such as login credentials or personal information. Given the public availability of an exploit, the risk of exploitation is elevated. The attack can be initiated remotely, broadening the potential attack surface.
CVE-2026-3742 has been publicly disclosed and a proof-of-concept exploit is available, indicating a high probability of exploitation. The vulnerability was reported on 2026-03-08. The vendor, YiFang CMS, was contacted but did not respond. It is not currently listed on KEV or EPSS, but the public exploit warrants immediate attention.
YiFang CMS installations running version 2.0.5 are directly at risk. Shared hosting environments utilizing YiFang CMS are particularly vulnerable, as attackers could potentially compromise multiple websites through a single vulnerability. Users who rely on YiFang CMS for managing sensitive data or handling user authentication are also at increased risk.
• php / web:
grep -r "D_singlePage.php" /var/www/yi-fang-cms/• php / web:
curl -I <your_yi_fang_cms_url>/app/db/admin/D_singlePage.php?Title=<xss_payload>• generic web:
grep "<xss_payload>" /var/log/apache2/access.logdisclosure
Exploit-Status
EPSS
0.03% (7% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-3742 is to upgrade to a patched version of YiFang CMS. As no fixed version is currently available, consider implementing temporary workarounds to reduce the attack surface. Input validation and sanitization on the Title field in app/db/admin/DsinglePage.php can help prevent malicious code injection. Web application firewalls (WAFs) configured to detect and block XSS payloads targeting this specific file and parameter can also provide a layer of protection. Regularly monitor access logs for suspicious activity related to the DsinglePage.php file. After implementing any mitigation, verify its effectiveness by attempting to inject a simple XSS payload into the Title field and confirming that it is properly sanitized.
Aktualisieren Sie auf eine gepatchte Version von YiFang CMS, die die Cross-Site Scripting (XSS)-Schwachstelle behebt. Wenn keine Version verfügbar ist, wird empfohlen, die anfällige Komponente (D_singlePage.php) zu deaktivieren oder zu entfernen, bis eine Lösung veröffentlicht wird. Als vorübergehende Maßnahme kann eine umfassende Validierung und Bereinigung der Benutzereingaben im Feld 'Title' implementiert werden, um die Injektion von bösartigem Code zu verhindern.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-3742 is a cross-site scripting (XSS) vulnerability affecting YiFang CMS versions 2.0.5–2.0.5. It allows attackers to inject malicious scripts via the Title argument in a specific admin file.
If you are running YiFang CMS version 2.0.5, you are directly affected by this vulnerability. Upgrade as soon as a patch is available.
The recommended fix is to upgrade to a patched version of YiFang CMS. Until a patch is released, implement input validation and WAF rules as temporary mitigations.
Yes, a public exploit is available, indicating a high probability of active exploitation. Immediate action is required.
As of this writing, no official advisory has been released by YiFang CMS. Monitor their website and security mailing lists for updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.