CVE-2026-3743 describes a cross-site scripting (XSS) vulnerability discovered in YiFang CMS versions 2.0.5–2.0.5. This flaw resides within the update function of the app/db/admin/D_singlePageGroup.php file, allowing attackers to inject malicious scripts. The vulnerability is remotely exploitable and a public exploit is available, highlighting the potential for immediate compromise.
Successful exploitation of CVE-2026-3743 allows an attacker to inject arbitrary JavaScript code into the YiFang CMS application. This can lead to a variety of malicious outcomes, including session hijacking, defacement of the website, redirection to phishing sites, and theft of sensitive user data. Given the public availability of an exploit, the risk of immediate exploitation is significant. The impact can range from minor annoyance to complete compromise of the web server and its associated data, depending on the attacker's goals and the CMS configuration.
CVE-2026-3743 has been publicly disclosed and a proof-of-concept exploit is available, indicating a high likelihood of exploitation. The vulnerability was reported on 2026-03-08. The vendor, YiFang CMS, has not responded to early disclosure attempts, which may delay the release of a patch. The CVSS score is LOW, but the availability of a public exploit elevates the risk.
Exploit Status
EPSS
0.03% (7% percentile)
CISA SSVC
The primary mitigation for CVE-2026-3743 is to upgrade YiFang CMS to a patched version. As no fixed version is currently available, consider implementing temporary workarounds to reduce the attack surface. Input validation and sanitization on the Name parameter in app/db/admin/D_singlePageGroup.php can help prevent malicious code injection. Web application firewalls (WAFs) configured to detect and block XSS payloads targeting this specific file can also provide a layer of protection. After attempting any mitigation, verify the fix by attempting to inject a simple XSS payload (e.g., <script>alert(1)</script>) through the affected parameter and confirming that it is not executed.
Update to a patched version of YiFang CMS that resolves the Cross-Site Scripting (XSS) vulnerability. Since the vendor has not responded, it is recommended to look for unofficial patches or consider migrating to a more secure and actively maintained CMS.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-3743 is a cross-site scripting (XSS) vulnerability in YiFang CMS versions 2.0.5–2.0.5, allowing attackers to inject malicious scripts via the Name parameter in app/db/admin/D_singlePageGroup.php.
If you are running YiFang CMS version 2.0.5–2.0.5, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as it becomes available.
The recommended fix is to upgrade to a patched version of YiFang CMS. Until a patch is released, implement input validation and sanitization or use a WAF to mitigate the risk.
A public exploit is available, indicating a high probability of active exploitation. Monitor your systems for suspicious activity.
As of the disclosure date, YiFang CMS has not released an official advisory. Monitor their website and security mailing lists for updates.
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.