CVE-2026-2932 - Vulnerability Details

- YiFang CMS Extended Management D_adPosition.php update cross site scripting

Description

A security flaw has been discovered in YiFang CMS up to 2.0.5. The impacted element is the function update of the file app/db/admin/D_adPosition.php of the component Extended Management Module. Performing a manipulation of the argument name/index results in cross site scripting. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks.

Published: 2026-02-22

Score: 4.8 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A remote cross‑site scripting flaw exists in YiFang CMS through the update function of app/db/admin/D_adPosition.php. By manipulating the name or index arguments during a position update, an attacker can inject arbitrary script code that will execute in the browser context of users who view the affected content, potentially leading to session hijacking, data theft, or defacement of the site. The vulnerability is present in all releases up to version 2.0.5. The publish of public exploit code indicates that an attacker can attempt to weaponize the flaw readily.

Affected Systems

The vulnerability affects the YiFang CMS product, specifically any installation using the Extended Management Module up to and including version 2.0.5. No other vendors or product lines are listed as impacted.

Risk and Exploitability

The CVSS score of 4.8 classifies the flaw as medium severity, and the EPSS probability is less than 1 %, indicating that while exploitation is technically possible, it is unlikely to be widely used at present. The flaw is not listed in CISA’s KEV catalog, which further suggests limited exploitation activity. Precisely because the attack vector is remote and triggered via HTTP parameters, an attacker only needs network access to the management interface to successfully inject malicious code. Once executed, the impact could affect confidentiality, integrity, and availability for the affected user base.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

YiFang

CMS

affected

Version	Status	Constraints
`2.0.0`	affected	—
`2.0.1`	affected	—
`2.0.2`	affected	—
`2.0.3`	affected	—
`2.0.4`	affected	—
`2.0.5`	affected	—

Configuration 1 [-]

cpe:2.3:a:yifangcms:yifang:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Yifang

Cms

100%

Version	Status	Scheme	Platform
`2.0.0`	affected	semver	—
`2.0.1`	affected	semver	—
`2.0.2`	affected	semver	—
`2.0.3`	affected	semver	—
`2.0.4`	affected	semver	—
`2.0.5`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade YiFang CMS to a version newer than 2.0.5, which removes the vulnerable update handler.
Prevent injection of unsanitized input by validating or escaping all data passed to the name/index parameters before they are processed or displayed.
Restrict access to the YiFang CMS administration interface to trusted administrators only, and monitor for anomalous activity within the Extended Management Module.

Generated by OpenCVE AI on April 16, 2026 at 16:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00059.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/ZZCTD/CVE/issues/2
https://github.com/ZZCTD/CVE/issues/3
https://vuldb.com/?ctiid.347278
https://vuldb.com/?id.347278
https://vuldb.com/?submit.755281
https://vuldb.com/?submit.755286

History

Fri, 27 Feb 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 24 Feb 2026 17:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Yifangcms Yifangcms yifang
CPEs		cpe:2.3:a:yifangcms:yifang::::::::
Vendors & Products		Yifangcms Yifangcms yifang

Mon, 23 Feb 2026 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Yifang Yifang cms
Vendors & Products		Yifang Yifang cms

Sun, 22 Feb 2026 07:45:00 +0000

Type	Values Removed	Values Added
Description		A security flaw has been discovered in YiFang CMS up to 2.0.5. The impacted element is the function update of the file app/db/admin/D_adPosition.php of the component Extended Management Module. Performing a manipulation of the argument name/index results in cross site scripting. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks.
Title		YiFang CMS Extended Management D_adPosition.php update cross site scripting
Weaknesses		CWE-79 CWE-94
References		https://github.com/ZZCTD/CVE/issues/2 https://github.com/ZZCTD/CVE/issues/3 https://vuldb.com/?ctiid.347278 https://vuldb.com/?id.347278 https://vuldb.com/?submit.755281 https://vuldb.com/?submit.755286
Metrics		cvssV2_0 `{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Yifang Cms

Yifangcms Yifang

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-02-22T07:32:08.677Z

Updated: 2026-02-27T18:15:32.945Z

Reserved: 2026-02-21T08:08:35.451Z

Link: CVE-2026-2932

Vulnrichment

Updated: 2026-02-27T18:15:29.205Z

NVD

Status : Analyzed

Published: 2026-02-22T08:15:55.770

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-2932

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T16:45:25Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object