Platform
php
Fixed in
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
A cross-site scripting (XSS) vulnerability has been discovered in YiFang CMS versions 2.0.0 through 2.0.5. This flaw resides within the Extended Management Module's file update function (app/db/admin/D_adManage.php). Successful exploitation allows an attacker to inject malicious scripts, potentially compromising user sessions and data integrity. A public proof-of-concept exists, increasing the risk of immediate exploitation.
The XSS vulnerability in YiFang CMS allows an attacker to inject arbitrary JavaScript code into the application. This code can then be executed in the context of a victim's browser when they visit a compromised page. An attacker could leverage this to steal session cookies, redirect users to malicious websites, deface the website, or even execute arbitrary code on the user's machine if they have sufficient privileges. The remote nature of the vulnerability means an attacker does not need to be authenticated to exploit it, significantly expanding the potential attack surface. Given the public availability of a proof-of-concept, the risk of exploitation is considered high.
This vulnerability is publicly known with a proof-of-concept available, indicating a high probability of exploitation. It has been added to the CISA KEV catalog. The low CVSS score reflects the relatively limited impact, but the ease of exploitation and public availability of the PoC make it a significant risk, particularly for systems with vulnerable versions exposed to the internet.
Exploit Status
EPSS
0.03% (7% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-2933 is to upgrade YiFang CMS to a version that includes the security patch. If upgrading immediately is not feasible, consider implementing input validation and sanitization on the 'Name' parameter within the app/db/admin/D_adManage.php file. A Web Application Firewall (WAF) configured to block XSS payloads targeting this specific parameter can also provide a temporary layer of protection. Review access control lists to restrict access to the admin panel to authorized personnel only. After upgrading, verify the fix by attempting to inject a simple XSS payload (e.g., <script>alert(1)</script>) through the affected parameter and confirming that it is properly sanitized.
Update YiFang CMS to a version later than 2.0.5 to fix the XSS vulnerability in the extended management module. If updating is not possible, it is recommended to disable or remove the affected module.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-2933 is a cross-site scripting (XSS) vulnerability affecting YiFang CMS versions 2.0.0–2.0.5, allowing attackers to inject malicious scripts via the 'Name' parameter in the Extended Management Module.
If you are using YiFang CMS versions 2.0.0 through 2.0.5, you are potentially affected by this vulnerability. Assess your environment and upgrade as soon as possible.
The recommended fix is to upgrade YiFang CMS to a patched version. If immediate upgrade is not possible, implement input validation and sanitization or use a WAF.
Due to the public availability of a proof-of-concept, CVE-2026-2933 is considered to be at high risk of exploitation.
Refer to the official YiFang CMS website or security advisories for the latest information and updates regarding CVE-2026-2933.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.