Description
A vulnerability was determined in YzmCMS up to 7.5. This affects an unknown function of the file /application/install/index.php. Executing a manipulation of the argument siteurl can lead to sql injection. The attack can be executed remotely. A high complexity level is associated with this attack. The exploitability is reported as difficult. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-06-29
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An attacker can manipulate the siteurl argument in the application/install/index.php file of YzmCMS up to version 7.5, resulting in a SQL injection that can be performed remotely. The vulnerability enables unauthorized access to the database, potentially allowing data exfiltration, tampering, or full database compromise. The attack requires moderate effort and the exploitability is reported as difficult, but it remains publicly disclosed and may be executed without authentication.

Affected Systems

YzmCMS content management system, all versions through 7.5. The vulnerable code resides in the installation directory; any instance exposing that directory is at risk.

Risk and Exploitability

The CVSS score of 6.3 indicates a medium severity. EPSS data is not available, so the likelihood of exploitation is uncertain, but the vulnerability has been disclosed publicly and can be leveraged by skilled adversaries. The attack vector is remote, requiring delivery of a crafted request to the installations script; the lack of authentication and high complexity suggest that exploitation is technically doable but may require an attacker with moderate skill.

Generated by OpenCVE AI on June 29, 2026 at 04:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Restrict or delete the installation directory to prevent unauthenticated access
  • Sanitize the siteurl parameter or apply a patch that validates input before database use
  • Upgrade to a version newer than 7.5 or apply the vendor’s patch when it becomes available

Generated by OpenCVE AI on June 29, 2026 at 04:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 03:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in YzmCMS up to 7.5. This affects an unknown function of the file /application/install/index.php. Executing a manipulation of the argument siteurl can lead to sql injection. The attack can be executed remotely. A high complexity level is associated with this attack. The exploitability is reported as difficult. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Title YzmCMS index.php sql injection
First Time appeared Yzmcms
Yzmcms yzmcms
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:yzmcms:yzmcms:*:*:*:*:*:*:*:*
Vendors & Products Yzmcms
Yzmcms yzmcms
References
Metrics cvssV2_0

{'score': 5.1, 'vector': 'AV:N/AC:H/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 5.6, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 5.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Yzmcms Yzmcms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-29T03:00:08.284Z

Reserved: 2026-06-28T07:59:39.811Z

Link: CVE-2026-13529

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T04:30:04Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')