Description
A security vulnerability has been detected in YiFang CMS up to 2.0.5. This impacts the function update of the file app/db/admin/D_friendLinkGroup.php of the component Extended Management Module. The manipulation of the argument Name leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used.
Published: 2026-02-22
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a cross‑site scripting flaw, identified as CWE‑79 and CWE‑94, arising from the manipulation of the Name argument in the D_friendLinkGroup.php update function of YiFang CMS. An attacker can inject arbitrary HTML or JavaScript code into the Name field, which is rendered unescaped when a user views the affected link group. This allows defacement of the page or theft of session data if the page is viewed by a user.

Affected Systems

The flaw affects YiFang CMS, specifically the Extended Management Module, across all releases up to and including version 2.0.5.

Risk and Exploitability

The CVSS score of 4.8 indicates moderate severity, while the EPSS score of less than 1 % suggests that real‑world exploitation is currently unlikely. The vulnerability can be triggered by sending a crafted HTTP request to the update endpoint, and the requirement for authentication is not specified. The flaw is not listed in the CISA KEV catalog, but the ability to inject script remotely poses a moderate risk for publicly accessible instances.

Generated by OpenCVE AI on April 18, 2026 at 19:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available patch or upgrade to a supported YiFang CMS version that addresses the vulnerability.
  • If an upgrade is not immediately possible, deploy a web application firewall rule that blocks or sanitizes script content in the Name parameter for the D_friendLinkGroup.php update endpoint.
  • Implement server‑side validation and output encoding of the Name input to prevent cross‑site scripting, following best practices for sanitizing user‑supplied data.

Generated by OpenCVE AI on April 18, 2026 at 19:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Yifangcms
Yifangcms yifang
CPEs cpe:2.3:a:yifangcms:yifang:*:*:*:*:*:*:*:*
Vendors & Products Yifangcms
Yifangcms yifang

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Yifang
Yifang cms
Vendors & Products Yifang
Yifang cms

Sun, 22 Feb 2026 08:30:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in YiFang CMS up to 2.0.5. This impacts the function update of the file app/db/admin/D_friendLinkGroup.php of the component Extended Management Module. The manipulation of the argument Name leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used.
Title YiFang CMS Extended Management D_friendLinkGroup.php update cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Yifang Cms
Yifangcms Yifang
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-25T18:33:35.658Z

Reserved: 2026-02-21T08:08:49.837Z

Link: CVE-2026-2934

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-22T09:16:11.173

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-2934

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T19:45:08Z

Weaknesses