Plataforma
php
Corrigido em
2.0.6
CVE-2026-3743 describes a cross-site scripting (XSS) vulnerability discovered in YiFang CMS versions 2.0.5–2.0.5. This flaw resides within the update function of the app/db/admin/D_singlePageGroup.php file, allowing attackers to inject malicious scripts. The vulnerability is remotely exploitable and a public exploit is available, highlighting the potential for immediate compromise.
Successful exploitation of CVE-2026-3743 allows an attacker to inject arbitrary JavaScript code into the YiFang CMS application. This can lead to a variety of malicious outcomes, including session hijacking, defacement of the website, redirection to phishing sites, and theft of sensitive user data. Given the public availability of an exploit, the risk of immediate exploitation is significant. The impact can range from minor annoyance to complete compromise of the web server and its associated data, depending on the attacker's goals and the CMS configuration.
CVE-2026-3743 has been publicly disclosed and a proof-of-concept exploit is available, indicating a high likelihood of exploitation. The vulnerability was reported on 2026-03-08. The vendor, YiFang CMS, has not responded to early disclosure attempts, which may delay the release of a patch. The CVSS score is LOW, but the availability of a public exploit elevates the risk.
Websites and applications utilizing YiFang CMS 2.0.5–2.0.5 are at risk. This includes organizations hosting their own YiFang CMS instances, as well as shared hosting environments where multiple users may be running the CMS. Administrators and users with access to the CMS admin panel are particularly vulnerable.
• php: Examine the app/db/admin/D_singlePageGroup.php file for unsanitized input handling of the Name parameter. Search for code that directly outputs this parameter without proper encoding.
// Example of vulnerable code
<?php
echo $_POST['Name']; // Vulnerable to XSS
?>• generic web: Monitor access logs for requests containing suspicious JavaScript payloads in the Name parameter of URLs targeting the D_singlePageGroup.php file.
• generic web: Check response headers for signs of XSS activity, such as the presence of injected JavaScript code.
disclosure
Status do Exploit
EPSS
0.03% (percentil 7%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2026-3743 is to upgrade YiFang CMS to a patched version. As no fixed version is currently available, consider implementing temporary workarounds to reduce the attack surface. Input validation and sanitization on the Name parameter in app/db/admin/D_singlePageGroup.php can help prevent malicious code injection. Web application firewalls (WAFs) configured to detect and block XSS payloads targeting this specific file can also provide a layer of protection. After attempting any mitigation, verify the fix by attempting to inject a simple XSS payload (e.g., <script>alert(1)</script>) through the affected parameter and confirming that it is not executed.
Atualizar para uma versão corrigida do YiFang CMS que solucione a vulnerabilidade de Cross-Site Scripting (XSS). Dado que o fornecedor não respondeu, recomenda-se procurar patches não oficiais ou considerar a migração para um CMS mais seguro e mantido ativamente.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-3743 is a cross-site scripting (XSS) vulnerability in YiFang CMS versions 2.0.5–2.0.5, allowing attackers to inject malicious scripts via the Name parameter in app/db/admin/D_singlePageGroup.php.
If you are running YiFang CMS version 2.0.5–2.0.5, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as it becomes available.
The recommended fix is to upgrade to a patched version of YiFang CMS. Until a patch is released, implement input validation and sanitization or use a WAF to mitigate the risk.
A public exploit is available, indicating a high probability of active exploitation. Monitor your systems for suspicious activity.
As of the disclosure date, YiFang CMS has not released an official advisory. Monitor their website and security mailing lists for updates.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.