Description
A reflected cross-site scripting (XSS) vulnerability in the /index/login.html component of YZMCMS v7.4 allows attackers to execute arbitrary Javascript in the context of the user's browser via modifying the referrer value in the request header.
Published: 2026-03-26
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: Reflected cross‑site scripting via the Referrer header on the YZMCMS login page.
Action: Assess Impact
AI Analysis

Impact

A reflected cross‑site scripting (XSS) flaw exists in the /index/login.html component of YZMCMS v7.4. By altering the value of the Referrer header in a request, an attacker can inject arbitrary JavaScript that executes within the victim's browser. This allows the attacker to steal session cookies, deface content, or launch further phishing attacks, thereby compromising confidentiality and integrity of the user session.

Affected Systems

The vulnerability affects YZMCMS version 7.4. No other versions or products are listed as impacted, and the vendor is not identified beyond the YZMCMS name.

Risk and Exploitability

The CVSS score is not provided, and EPSS information is unavailable, but the flaw is noted as not listed in the CISA KEV catalogue. As the Referrer header is a standard HTTP header, an attacker can add it through normal browser requests or crafted HTTP tools, making exploitation straightforward. The risk is moderate to high for any environment where users access the YZMCMS login page from untrusted networks.

Generated by OpenCVE AI on March 27, 2026 at 10:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • If a patched or newer release of YZMCMS is available, install it immediately.
  • If no patch exists, configure the web server or application to strip or validate the Referrer header before processing the request to the login page.
  • Apply a WAF rule or middleware that rejects or sanitizes malicious Referrer headers.
  • Consider setting the Referrer‑Policy header to "no‑referrer" on the login page to prevent the header from being sent in the first place.

Generated by OpenCVE AI on March 27, 2026 at 10:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://github.com/yzmcms/yzmcms/issues/69 cve-icon cve-icon
History

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Title Reflected XSS via Referrer Header in YZMCMS Login Page
Weaknesses CWE-79

Fri, 27 Mar 2026 09:30:00 +0000

Type Values Removed Values Added
Title Reflected XSS via Referrer Header in YZMCMS Login Page
Weaknesses CWE-79

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Yzmcms
Yzmcms yzmcms
Vendors & Products Yzmcms
Yzmcms yzmcms

Thu, 26 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Description A reflected cross-site scripting (XSS) vulnerability in the /index/login.html component of YZMCMS v7.4 allows attackers to execute arbitrary Javascript in the context of the user's browser via modifying the referrer value in the request header.
References

Subscriptions

Yzmcms Yzmcms
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-26T15:10:43.069Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-29933

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-26T15:16:35.890

Modified: 2026-03-26T15:16:35.890

Link: CVE-2026-29933

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T15:47:47Z

Weaknesses

No weakness.