CVE-2026-29934 - Vulnerability Details

Description

A reflected cross-site scripting (XSS) vulnerability in the /admin/menus component of Lightcms v2.0 allows attackers to execute arbitrary Javascript in the context of the user's browser via modifying the referer value in the request header.

Published: 2026-03-26

Score: 6.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A reflected cross‑site scripting flaw exists in the /admin/menus component of LightCMS 2.0, allowing an attacker to inject and execute arbitrary JavaScript by modifying the Referer header of a request. This can lead to session hijacking, data exfiltration, or defacement while an administrator is authenticated.

Affected Systems

The vulnerability affects LightCMS version 2.0 from the LightCMS Project. No other vendors or products are listed.

Risk and Exploitability

With a CVSS base score of 6.1 the risk level is moderate, and an EPSS score below 1% indicates a low likelihood of exploitation. The flaw is not included in the CISA KEV catalog. Exfiltration requires an attacker to lure a logged‑in administrator to visit a crafted URL that sets the Referer header to a malicious payload, enabling the attacker to run scripts with administrative privileges.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

cpe:2.3:a:lightcms_project:lightcms:2.0:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Eddy8

Lightcms

80%

Version	Status	Scheme	Platform
`[0,2.0]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply an updated release of LightCMS that resolves the reflected XSS issue as soon as it is available.
If an update cannot be applied immediately, configure the web server to strip or sanitize the Referer header for requests to /admin/menus, mitigating the vulnerability until a patch is installed.
Monitor the browser console of administrative sessions for unexpected script activity or errors.
Follow the discussion on GitHub at https://github.com/eddy8/LightCMS/issues/38 for the latest developments and potential workarounds.

Generated by OpenCVE AI on April 2, 2026 at 23:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00035.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/eddy8/LightCMS/issues/38

History

Fri, 03 Apr 2026 10:15:00 +0000

Type	Values Removed	Values Added
Title	Reflected XSS in LightCMS Admin Menus via Modified Referer

Thu, 02 Apr 2026 20:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Lightcms Project Lightcms Project lightcms
CPEs		cpe:2.3:a:lightcms_project:lightcms:2.0:::::::*
Vendors & Products		Lightcms Project Lightcms Project lightcms

Sun, 29 Mar 2026 20:45:00 +0000

Type	Values Removed	Values Added
Title		Reflected XSS in LightCMS Admin Menus via Modified Referer
Weaknesses		CWE-79

Fri, 27 Mar 2026 20:30:00 +0000

Type	Values Removed	Values Added
Title	Reflected XSS via Referer Header in LightCMS 2.0 Admin Menus
Weaknesses	CWE-79

Fri, 27 Mar 2026 09:30:00 +0000

Type	Values Removed	Values Added
Title		Reflected XSS via Referer Header in LightCMS 2.0 Admin Menus
Weaknesses		CWE-79

Fri, 27 Mar 2026 08:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Eddy8 Eddy8 lightcms
Vendors & Products		Eddy8 Eddy8 lightcms

Thu, 26 Mar 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 26 Mar 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description		A reflected cross-site scripting (XSS) vulnerability in the /admin/menus component of Lightcms v2.0 allows attackers to execute arbitrary Javascript in the context of the user's browser via modifying the referer value in the request header.
References		https://github.com/eddy8/LightCMS/issues/38

Subscriptions

Eddy8 Lightcms

Lightcms Project Lightcms

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-03-26T00:00:00.000Z

Updated: 2026-03-26T18:15:20.871Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-29934

Vulnrichment

Updated: 2026-03-26T18:15:17.220Z

NVD

Status : Analyzed

Published: 2026-03-26T15:16:36.017

Modified: 2026-04-02T19:37:31.550

Link: CVE-2026-29934

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-03T09:39:02Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object