Platform
php
Opgelost in
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
A cross-site scripting (XSS) vulnerability has been identified in YiFang CMS Extended Management Module versions 2.0.0 through 2.0.5. This flaw resides within the 'update' function of the app/db/admin/D_adPosition.php file, allowing attackers to inject malicious scripts by manipulating the 'name/index' argument. Successful exploitation could lead to session hijacking or defacement of the affected website.
The primary impact of CVE-2026-2932 is the potential for cross-site scripting (XSS) attacks. An attacker could leverage this vulnerability to inject arbitrary JavaScript code into the YiFang CMS application. This injected code could then be executed in the context of a user's browser, allowing the attacker to steal session cookies, redirect users to malicious websites, or deface the website. The remote nature of the vulnerability means an attacker does not need to be authenticated to exploit it, significantly broadening the potential attack surface. The public availability of an exploit further increases the risk of immediate exploitation.
CVE-2026-2932 has been publicly disclosed and a proof-of-concept exploit is available. This significantly increases the likelihood of exploitation. The vulnerability's LOW CVSS score reflects the relatively simple exploitation process and limited potential impact, but the public exploit makes it a high-priority remediation target. It was published on 2026-02-22.
Websites and applications utilizing YiFang CMS Extended Management Module versions 2.0.0 through 2.0.5 are at risk. This includes organizations relying on YiFang CMS for content management and those with publicly accessible administrative interfaces. Shared hosting environments using these versions are particularly vulnerable due to the potential for cross-tenant attacks.
• php / web:
curl -I https://example.com/app/db/admin/D_adPosition.php?name/index=<script>alert(1)</script>• generic web:
grep -i '<script>' /var/log/apache2/access.logdisclosure
Exploit Status
EPSS
0.03% (10% percentiel)
CISA SSVC
CVSS-vector
The recommended mitigation for CVE-2026-2932 is to upgrade YiFang CMS Extended Management Module to a version that includes the security fix. As no fixed version is provided, thoroughly review the app/db/admin/D_adPosition.php file for input validation and sanitization of the 'name/index' parameter. Implement strict input validation on all user-supplied data to prevent malicious code injection. Consider using a Web Application Firewall (WAF) to filter out potentially malicious requests containing XSS payloads.
Werk YiFang CMS bij naar een versie later dan 2.0.5 om de XSS-kwetsbaarheid te verhelpen. Indien een update niet mogelijk is, controleer en filter dan de invoer van de parameters 'name' en 'index' in het bestand app/db/admin/D_adPosition.php om injectie van kwaadaardige code te voorkomen.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-2932 is a cross-site scripting (XSS) vulnerability affecting YiFang CMS Extended Management Module versions 2.0.0–2.0.5, allowing remote attackers to inject malicious scripts.
You are affected if your YiFang CMS Extended Management Module is running versions 2.0.0 through 2.0.5. Upgrade immediately or implement mitigation strategies.
Upgrade to a patched version of YiFang CMS Extended Management Module. If a patch isn't available, implement strict input validation and consider a WAF.
Yes, a proof-of-concept exploit is publicly available, increasing the likelihood of active exploitation.
Refer to the official YiFang CMS website or security mailing lists for the latest advisory regarding CVE-2026-2932.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.