Platform
php
Fixed in
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
A cross-site scripting (XSS) vulnerability has been identified in YiFang CMS Extended Management Module versions 2.0.0 through 2.0.5. This flaw resides within the 'update' function of the app/db/admin/D_adPosition.php file, allowing attackers to inject malicious scripts by manipulating the 'name/index' argument. Successful exploitation could lead to session hijacking or defacement of the affected website.
The primary impact of CVE-2026-2932 is the potential for cross-site scripting (XSS) attacks. An attacker could leverage this vulnerability to inject arbitrary JavaScript code into the YiFang CMS application. This injected code could then be executed in the context of a user's browser, allowing the attacker to steal session cookies, redirect users to malicious websites, or deface the website. The remote nature of the vulnerability means an attacker does not need to be authenticated to exploit it, significantly broadening the potential attack surface. The public availability of an exploit further increases the risk of immediate exploitation.
CVE-2026-2932 has been publicly disclosed and a proof-of-concept exploit is available. This significantly increases the likelihood of exploitation. The vulnerability's LOW CVSS score reflects the relatively simple exploitation process and limited potential impact, but the public exploit makes it a high-priority remediation target. It was published on 2026-02-22.
Exploit Status
EPSS
0.03% (10% percentile)
CISA SSVC
The recommended mitigation for CVE-2026-2932 is to upgrade YiFang CMS Extended Management Module to a version that includes the security fix. As no fixed version is provided, thoroughly review the app/db/admin/D_adPosition.php file for input validation and sanitization of the 'name/index' parameter. Implement strict input validation on all user-supplied data to prevent malicious code injection. Consider using a Web Application Firewall (WAF) to filter out potentially malicious requests containing XSS payloads.
Update YiFang CMS to a version later than 2.0.5 to fix the XSS vulnerability. If updating is not possible, review and filter the inputs of the 'name' and 'index' parameters in the file app/db/admin/D_adPosition.php to prevent malicious code injection.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-2932 is a cross-site scripting (XSS) vulnerability affecting YiFang CMS Extended Management Module versions 2.0.0–2.0.5, allowing remote attackers to inject malicious scripts.
You are affected if your YiFang CMS Extended Management Module is running versions 2.0.0 through 2.0.5. Upgrade immediately or implement mitigation strategies.
Upgrade to a patched version of YiFang CMS Extended Management Module. If a patch isn't available, implement strict input validation and consider a WAF.
Yes, a proof-of-concept exploit is publicly available, increasing the likelihood of active exploitation.
Refer to the official YiFang CMS website or security mailing lists for the latest advisory regarding CVE-2026-2932.
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.