Platform
php
Fixed in
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
CVE-2026-2934 describes a cross-site scripting (XSS) vulnerability discovered in YiFang CMS versions 2.0.0 through 2.0.5. This flaw resides within the Extended Management Module, specifically in the file app/db/admin/D_friendLinkGroup.php. Exploitation involves manipulating the 'Name' argument, potentially allowing attackers to execute arbitrary JavaScript code in a victim's browser, leading to session hijacking or defacement. The vulnerability is remotely exploitable and has been publicly disclosed.
Successful exploitation of CVE-2026-2934 allows an attacker to inject malicious JavaScript code into the YiFang CMS application. This code can then be executed in the context of a user's browser when they visit a vulnerable page. The impact ranges from simple defacement of the website to more severe consequences like session hijacking, where an attacker gains control of a legitimate user's account. Furthermore, attackers could potentially steal sensitive information, such as cookies or authentication tokens. The remote accessibility of this vulnerability significantly broadens the attack surface, making it a potential target for automated scanning and exploitation.
CVE-2026-2934 has been publicly disclosed, increasing the likelihood of exploitation. While the CVSS score is LOW (2.4), the ease of exploitation and potential impact warrant attention. There is no indication of active campaigns targeting this vulnerability at the time of writing, but the public disclosure makes it a potential target for opportunistic attackers. The vulnerability was published on 2026-02-22.
Exploit Status
EPSS
0.03% (7% percentile)
CISA SSVC
The primary mitigation for CVE-2026-2934 is to upgrade YiFang CMS to a version that includes a fix for this vulnerability. Unfortunately, the input does not specify a fixed version. As a temporary workaround, implement strict input validation and sanitization on the 'Name' parameter within the app/db/admin/D_friendLinkGroup.php file. Consider using a Web Application Firewall (WAF) with XSS filtering rules to block malicious requests. Regularly review and update CMS plugins and extensions to ensure they are free from known vulnerabilities. After applying the mitigation, thoroughly test the application to confirm that the vulnerability has been effectively addressed.
Update YiFang CMS to a version later than 2.0.5 that fixes the Cross-Site Scripting (XSS) vulnerability in the Extended Management Module. Consult the vendor's website for the latest version and upgrade instructions. As a temporary measure, validate and escape user input in the 'Name' parameter in the file app/db/admin/D_friendLinkGroup.php.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-2934 is a cross-site scripting (XSS) vulnerability affecting YiFang CMS versions 2.0.0–2.0.5. It allows attackers to inject malicious scripts by manipulating the 'Name' argument in a specific file.
If you are using YiFang CMS versions 2.0.0 through 2.0.5, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as possible.
Upgrade YiFang CMS to a version that includes a fix for this vulnerability. Until then, implement input validation and consider using a WAF.
While there's no confirmed active exploitation, the public disclosure increases the risk of exploitation by opportunistic attackers.
Refer to the official YiFang CMS website or security advisories for the latest information and updates regarding CVE-2026-2934.
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.