Scan free
LOWCVE-2026-2200CVSS 2.4

CVE-2026-2200: XSS in JFinalCMS 5.0.0

Platform

php

Component

my_cve

Fixed in

5.0.1

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026
View on NVD
Save

A cross-site scripting (XSS) vulnerability has been discovered in JFinalCMS versions 5.0.0. This flaw resides within the /admin/admin/save API endpoint, allowing an attacker to inject malicious scripts into the application. Successful exploitation could lead to session hijacking or defacement. The vulnerability was publicly disclosed on 2026-02-09 and a fix is recommended.

Impact and Attack Scenarios

The XSS vulnerability in JFinalCMS allows an attacker to inject arbitrary JavaScript code into the application's web pages. This code can then be executed in the context of a user's browser, potentially granting the attacker access to sensitive information such as session cookies. An attacker could use this to hijack user accounts, deface the website, or redirect users to malicious websites. Given the public availability of the exploit, the risk of exploitation is elevated, particularly for systems with unpatched JFinalCMS installations.

Exploitation Context

The vulnerability details and exploit have been publicly disclosed, indicating a higher probability of exploitation. While no active campaigns have been confirmed, the availability of a proof-of-concept increases the risk. The CVE was published on 2026-02-09. The CVSS score is 2.4 (LOW).

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.04% (11% percentile)

CISA SSVC

Exploitationpoc
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R2.4LOWAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredHighAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityNoneRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
High — admin or privileged account required to exploit.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
None — no confidentiality impact. Attacker cannot read protected data.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentmy_cve
Vendorheyewei
Affected rangeFixed in
5.0.0 – 5.0.05.0.1

Weakness Classification (CWE)

CWE-79CWE-94

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated
Unpatched — 104 days since disclosure

Mitigation and Workarounds

The primary mitigation for CVE-2026-2200 is to upgrade to a patched version of JFinalCMS. Until an official patch is available, implement strict input validation and output encoding on the /admin/admin/save endpoint. This includes sanitizing all user-supplied data before it is displayed on the page. Consider using a Web Application Firewall (WAF) with XSS protection rules to filter out malicious requests. Regularly review and update your CMS security configuration.

How to fix

Update JFinalCMS to a version later than 5.0.0 that fixes the Cross-Site Scripting (XSS) vulnerability. If no version is available, it is recommended to apply a security patch that filters or escapes user input in the /admin/admin/save endpoint to prevent the injection of malicious code.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-2200 — XSS in JFinalCMS 5.0.0?

CVE-2026-2200 is a cross-site scripting vulnerability in JFinalCMS 5.0.0 affecting the /admin/admin/save endpoint, allowing attackers to inject malicious scripts.

Am I affected by CVE-2026-2200 in JFinalCMS 5.0.0?

If you are running JFinalCMS version 5.0.0, you are potentially affected by this vulnerability. Upgrade as soon as possible.

How do I fix CVE-2026-2200 in JFinalCMS 5.0.0?

Upgrade to a patched version of JFinalCMS. Until a patch is available, implement strict input validation and output encoding.

Is CVE-2026-2200 being actively exploited?

While no active campaigns have been confirmed, the public availability of the exploit increases the risk of exploitation.

Where can I find the official JFinalCMS advisory for CVE-2026-2200?

Refer to the JFinalCMS official website or security mailing list for the latest advisory and patch information.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs