Scan free
LOWCVE-2026-3742CVSS 3.5

CVE-2026-3742: XSS in YiFang CMS 2.0.5

Platform

php

Fixed in

2.0.6

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026
View on NVD
Save

CVE-2026-3742 describes a cross-site scripting (XSS) vulnerability discovered in YiFang CMS versions 2.0.5–2.0.5. This flaw allows an attacker to inject malicious scripts into the application, potentially compromising user sessions and data. The vulnerability resides in the update function of the app/db/admin/D_singlePage.php file, specifically through manipulation of the Title argument. A public exploit is now available.

Impact and Attack Scenarios

Successful exploitation of CVE-2026-3742 enables an attacker to execute arbitrary JavaScript code within the context of a user's browser session on the YiFang CMS website. This can lead to various malicious actions, including session hijacking, defacement of the website, redirection to phishing sites, and theft of sensitive user data such as login credentials or personal information. Given the public availability of an exploit, the risk of exploitation is elevated. The attack can be initiated remotely, broadening the potential attack surface.

Exploitation Context

CVE-2026-3742 has been publicly disclosed and a proof-of-concept exploit is available, indicating a high probability of exploitation. The vulnerability was reported on 2026-03-08. The vendor, YiFang CMS, was contacted but did not respond. It is not currently listed on KEV or EPSS, but the public exploit warrants immediate attention.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh
NextGuard10–15% still vulnerable

EPSS

0.03% (7% percentile)

CISA SSVC

Exploitationpoc
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R3.5LOWAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredLowAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityNoneRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
None — no confidentiality impact. Attacker cannot read protected data.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

VendorYiFang
Affected rangeFixed in
2.0.5 – 2.0.52.0.6

Weakness Classification (CWE)

CWE-79CWE-94

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated
Unpatched — 77 days since disclosure

Mitigation and Workarounds

The primary mitigation for CVE-2026-3742 is to upgrade to a patched version of YiFang CMS. As no fixed version is currently available, consider implementing temporary workarounds to reduce the attack surface. Input validation and sanitization on the Title field in app/db/admin/DsinglePage.php can help prevent malicious code injection. Web application firewalls (WAFs) configured to detect and block XSS payloads targeting this specific file and parameter can also provide a layer of protection. Regularly monitor access logs for suspicious activity related to the DsinglePage.php file. After implementing any mitigation, verify its effectiveness by attempting to inject a simple XSS payload into the Title field and confirming that it is properly sanitized.

How to fix

Update to a patched version of YiFang CMS that resolves the Cross-Site Scripting (XSS) vulnerability. If no version is available, it is recommended to disable or remove the vulnerable component (D_singlePage.php) until a solution is published. As a temporary measure, implement thorough validation and sanitization of user input in the 'Title' field to prevent the injection of malicious code.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-3742 — XSS in YiFang CMS 2.0.5?

CVE-2026-3742 is a cross-site scripting (XSS) vulnerability affecting YiFang CMS versions 2.0.5–2.0.5. It allows attackers to inject malicious scripts via the Title argument in a specific admin file.

Am I affected by CVE-2026-3742 in YiFang CMS 2.0.5?

If you are running YiFang CMS version 2.0.5, you are directly affected by this vulnerability. Upgrade as soon as a patch is available.

How do I fix CVE-2026-3742 in YiFang CMS 2.0.5?

The recommended fix is to upgrade to a patched version of YiFang CMS. Until a patch is released, implement input validation and WAF rules as temporary mitigations.

Is CVE-2026-3742 being actively exploited?

Yes, a public exploit is available, indicating a high probability of active exploitation. Immediate action is required.

Where can I find the official YiFang CMS advisory for CVE-2026-3742?

As of this writing, no official advisory has been released by YiFang CMS. Monitor their website and security mailing lists for updates.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs