Description
A security vulnerability has been detected in YiFang CMS 2.0.5. The affected element is the function update of the file app/db/admin/D_friendLink.php. Such manipulation of the argument linkName leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-03-08
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The flaw resides in YiFang CMS 2.0.5, inside the D_friendLink.php update function. By manipulating the linkName argument, an attacker can inject malicious JavaScript that is rendered in a visitor's browser. This cross‑site scripting capability enables session hijacking, credential theft, or defacement when the affected link is viewed.

Affected Systems

YiFang CMS version 2.0.5 is affected. No earlier or later versions are referenced; the CPE indicates this specific release.

Risk and Exploitability

The CVSS score of 5.1 classifies the vulnerability as moderate severity, and the EPSS score of less than 1% suggests a very low probability of exploitation in the wild. The issue is publicly disclosed and can be triggered from any remote location without special permissions, yet it does not provide a path to full system compromise; it only affects the integrity and confidentiality of the victim's browser session. The vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on April 16, 2026 at 04:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update YiFang CMS to a version that addresses the XSS flaw, or remove the update method for friend links from the administrative interface.
  • Implement server‑side validation and output encoding for the linkName field, ensuring that any characters that could trigger script execution are escaped or stripped.
  • Deploy a web‑application firewall rule or content‑security‑policy that blocks or neutralises JavaScript payloads submitted via the linkName parameter, providing a short‑term shield while a patch is applied.

Generated by OpenCVE AI on April 16, 2026 at 04:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Yifangcms
Yifangcms yifang
CPEs cpe:2.3:a:yifangcms:yifang:2.0.5:*:*:*:*:*:*:*
Vendors & Products Yifangcms
Yifangcms yifang

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Yifang
Yifang cms
Vendors & Products Yifang
Yifang cms

Sun, 08 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in YiFang CMS 2.0.5. The affected element is the function update of the file app/db/admin/D_friendLink.php. Such manipulation of the argument linkName leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title YiFang CMS D_friendLink.php update cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Yifang Cms
Yifangcms Yifang
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-11T19:46:18.525Z

Reserved: 2026-03-07T20:12:17.882Z

Link: CVE-2026-3741

cve-icon Vulnrichment

Updated: 2026-03-11T19:46:15.622Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-08T15:15:48.580

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-3741

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T04:30:13Z

Weaknesses