Description
A security flaw has been discovered in 07FLYCMS, 07FLY-CMS and 07FlyCRM up to 1.2.9. The affected element is an unknown function of the file /admin/SysModule/edit.html of the component System Extension Module. Performing a manipulation of the argument Title results in cross site scripting. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. This product is published under multiple names. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-02-23
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: cross site scripting
Action: Apply Patch
AI Analysis

Impact

An unauthenticated stored cross‑site scripting flaw exists in the System Extension Module of 07FLYCMS, 07FLY-CMS and 07FlyCRM. By sending a crafted Title parameter to the /admin/SysModule/edit.html endpoint, an attacker can embed arbitrary JavaScript that is later served to any user who views the page. This enables session hijacking, credential theft, defacement or delivery of further malware. The vulnerability is a classic XSS weakness (CWE‑79) and potentially allows code injection (CWE‑94).

Affected Systems

The flaw affects 07FLYCMS, 07FLY-CMS and 07FlyCRM up to and including version 1.2.9. These applications are distributed under multiple brand names and were not patched by the vendor as of the disclosure.

Risk and Exploitability

The CVSS score of 4.8 indicates a moderate severity; the EPSS score of less than 1% suggests a low probability of exploitation in the wild. However, because the exploit has already been released publicly and can be launched remotely without authentication, organizations using the affected versions face a non‑trivial risk of compromise. The impact is limited to the browsers of users who view the malicious page, but can be leveraged for broader attacks if further credentials are accessed.

Generated by OpenCVE AI on April 17, 2026 at 16:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a fixed version of the affected CMS or CRM if a patch has been released.
  • If no patch is available, apply input sanitization on the Title field to escape or whitelist HTML characters before rendering.
  • Implement a Content Security Policy that blocks inline JavaScript and restricts script origins.
  • Monitor access logs for anomalous requests to the edit.html endpoint and run periodic XSS scans.

Generated by OpenCVE AI on April 17, 2026 at 16:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared 07fly
07fly 07fly-cms
07fly 07flycms
07fly 07flycrm
Vendors & Products 07fly
07fly 07fly-cms
07fly 07flycms
07fly 07flycrm

Mon, 23 Feb 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 02:30:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in 07FLYCMS, 07FLY-CMS and 07FlyCRM up to 1.2.9. The affected element is an unknown function of the file /admin/SysModule/edit.html of the component System Extension Module. Performing a manipulation of the argument Title results in cross site scripting. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. This product is published under multiple names. The vendor was contacted early about this disclosure but did not respond in any way.
Title 07FLYCMS/07FLY-CMS/07FlyCRM System Extension edit.html cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

07fly 07fly-cms 07flycms 07flycrm
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T13:46:48.205Z

Reserved: 2026-02-22T07:34:14.094Z

Link: CVE-2026-2965

cve-icon Vulnrichment

Updated: 2026-02-23T13:46:43.820Z

cve-icon NVD

Status : Deferred

Published: 2026-02-23T03:15:58.917

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-2965

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T16:30:05Z

Weaknesses