Description
A vulnerability was detected in YiFang CMS 2.0.5. The impacted element is the function update of the file app/db/admin/D_singlePage.php. Performing a manipulation of the argument Title results in cross site scripting. It is possible to initiate the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-03-08
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (XSS)
Action: Apply Patch
AI Analysis

Impact

A flaw in the update function of D_singlePage.php in YiFang CMS 2.0.5 allows an attacker to insert arbitrary script content into the Title field. The supplied script is rendered without proper sanitization, creating a client‑side injection vulnerability. The CVE description explicitly states that remote exploitation is possible and that public exploits have been released. The weakness is identified as CWE‑79 (unvalidated script inclusion) and CWE‑94 (execution of arbitrary code).

Affected Systems

The only version listed as vulnerable is YiFang CMS 2.0.5. Any installation that exposes the D_singlePage.php update endpoint may be impacted, regardless of the deployment context or user roles, as the vulnerability resides in the application logic that processes administrator input.

Risk and Exploitability

A CVSS score of 5.1 indicates medium severity, while an EPSS score of less than 1 % suggests that exploitation attempts are unlikely to be widespread at present. The vulnerability is not catalogued in the CISA KEV list, but the existence of publicly available exploits means that adversaries could craft and send malicious requests remotely to trigger the XSS. The attack surface is limited to HTTP requests containing a manipulated Title parameter; no local privilege or authentication escalation is required beyond access to the update API.

Generated by OpenCVE AI on April 16, 2026 at 10:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade YiFang CMS to a version that includes the vendor‑supplied fix if one is available.
  • Modify the D_singlePage.php update routine to escape the Title input with a proper output‑encoding function such as PHP’s htmlspecialchars before rendering it to the browser.
  • Ensure that the update functionality is accessible only to authenticated administrative users and implement CSRF protection to reduce the likelihood of remote exploitation.

Generated by OpenCVE AI on April 16, 2026 at 10:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Yifangcms
Yifangcms yifang
CPEs cpe:2.3:a:yifangcms:yifang:2.0.5:*:*:*:*:*:*:*
Vendors & Products Yifangcms
Yifangcms yifang

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Yifang
Yifang cms
Vendors & Products Yifang
Yifang cms

Sun, 08 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in YiFang CMS 2.0.5. The impacted element is the function update of the file app/db/admin/D_singlePage.php. Performing a manipulation of the argument Title results in cross site scripting. It is possible to initiate the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title YiFang CMS D_singlePage.php update cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Yifang Cms
Yifangcms Yifang
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-11T19:45:55.360Z

Reserved: 2026-03-07T20:12:21.498Z

Link: CVE-2026-3742

cve-icon Vulnrichment

Updated: 2026-03-11T19:45:52.589Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-08T15:15:48.783

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-3742

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T10:45:26Z

Weaknesses