CVE-2026-2933 - Vulnerability Details

- YiFang CMS Extended Management D_adManage.php update cross site scripting

Description

A weakness has been identified in YiFang CMS up to 2.0.5. This affects the function update of the file app/db/admin/D_adManage.php of the component Extended Management Module. Executing a manipulation of the argument Name can lead to cross site scripting. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks.

Published: 2026-02-22

Score: 4.8 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in the Extended Management Module of YiFang CMS allows an attacker to inject malicious script through the Name parameter during an update operation. The resulting client‑side injection can execute arbitrary code in the browser of any user who views the affected page. The vulnerability is a classic cross‑site scripting flaw (CWE‑79).

Affected Systems

YiFang CMS versions up to 2.0.5 are affected. The issue resides in the app/db/admin/D_adManage.php file within the Extended Management Module and applies to all installations running those released versions.

Risk and Exploitability

The vulnerability receives a CVSS base score of 4.8, indicating a moderate impact. The EPSS score is less than 1 %, reflecting a low probability of exploitation in the wild. It is not listed in the CISA KEV catalog. Attackers can trigger the flaw by sending a crafted HTTP request from a remote location that supplies a malicious value for the Name field; no special authentication or elevated privileges are required as per the description.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

YiFang

CMS

affected

Version	Status	Constraints
`2.0.0`	affected	—
`2.0.1`	affected	—
`2.0.2`	affected	—
`2.0.3`	affected	—
`2.0.4`	affected	—
`2.0.5`	affected	—

Configuration 1 [-]

cpe:2.3:a:yifangcms:yifang:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Yifang

Cms

100%

Version	Status	Scheme	Platform
`2.0.0`	affected	semver	—
`2.0.1`	affected	semver	—
`2.0.2`	affected	semver	—
`2.0.3`	affected	semver	—
`2.0.4`	affected	semver	—
`2.0.5`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade YiFang CMS to a version newer than 2.0.5 where the D_adManage.php file has been patched.
If an upgrade is not possible immediately, sanitize or encode user input in the Name field on the update endpoint to remove script tags before it is rendered or stored.
Restrict access to the Extended Management interface so that only authenticated administrators can reach the update endpoint, reducing the exposure surface.
Apply a web application firewall rule to detect and block typical XSS payloads targeting the Name parameter.

Generated by OpenCVE AI on April 17, 2026 at 16:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00043.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/ZZCTD/CVE/issues/4
https://vuldb.com/?ctiid.347279
https://vuldb.com/?id.347279
https://vuldb.com/?submit.755295

History

Fri, 27 Feb 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 24 Feb 2026 17:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Yifangcms Yifangcms yifang
CPEs		cpe:2.3:a:yifangcms:yifang::::::::
Vendors & Products		Yifangcms Yifangcms yifang

Mon, 23 Feb 2026 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Yifang Yifang cms
Vendors & Products		Yifang Yifang cms

Sun, 22 Feb 2026 07:45:00 +0000

Type	Values Removed	Values Added
Description		A weakness has been identified in YiFang CMS up to 2.0.5. This affects the function update of the file app/db/admin/D_adManage.php of the component Extended Management Module. Executing a manipulation of the argument Name can lead to cross site scripting. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks.
Title		YiFang CMS Extended Management D_adManage.php update cross site scripting
Weaknesses		CWE-79 CWE-94
References		https://github.com/ZZCTD/CVE/issues/4 https://vuldb.com/?ctiid.347279 https://vuldb.com/?id.347279 https://vuldb.com/?submit.755295
Metrics		cvssV2_0 `{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Yifang Cms

Yifangcms Yifang

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-02-22T07:32:11.055Z

Updated: 2026-02-27T18:18:36.765Z

Reserved: 2026-02-21T08:08:38.485Z

Link: CVE-2026-2933

Vulnrichment

Updated: 2026-02-27T18:18:31.685Z

NVD

Status : Analyzed

Published: 2026-02-22T08:15:56.863

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-2933

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T16:45:15Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object