Description
A flaw has been found in YiFang CMS 2.0.5. This affects the function update of the file app/db/admin/D_singlePageGroup.php. Executing a manipulation of the argument Name can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-03-08
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Patch Immediately
AI Analysis

Impact

A flaw has been identified in YiFang CMS version 2.0.5, specifically within the update function of app/db/admin/D_singlePageGroup.php. The vulnerability arises from insufficient handling of the Name argument, allowing an attacker to inject arbitrary script code. This leads to cross‑site scripting (XSS), which can be triggered remotely by sending a crafted HTTP request. An exploit has already been published and is potentially usable against vulnerable installations.

Affected Systems

The affected product is YiFang CMS version 2.0.5. The vulnerability is confined to the update function of the D_singlePageGroup.php file in the administrative module of this CMS. Only installations running the specific 2.0.5 release are impacted; no other versions or modules are mentioned in the advisory.

Risk and Exploitability

The CVSS score of 5.1 out of 10 places this issue in the moderate severity range. The vulnerability can be triggered remotely by sending a crafted HTTP request that embeds malicious data in the Name parameter of the update endpoint. The EPSS score of less than one percent indicates that exploitation is currently unlikely in large populations, though an exploit is already published. The vulnerability does not appear in the CISA KEV catalog. Based on the description, the likely attack vector is a remote HTTP request to the vulnerable update endpoint.

Generated by OpenCVE AI on April 16, 2026 at 10:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available vendor patch for YiFang CMS 2.0.5.
  • Sanitize and properly encode the user‑supplied Name field on the server side, ensuring that any script tags or JavaScript code are neutralized before rendering.
  • Restrict the update operation to users with the highest level of administrative privileges and consider disabling the ability to edit page groups from untrusted or anonymous sessions.
  • Deploy a web application firewall rule set that detects and blocks attempts to inject script tags into the Name parameter of the D_singlePageGroup.php endpoint.

Generated by OpenCVE AI on April 16, 2026 at 10:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Yifangcms
Yifangcms yifang
CPEs cpe:2.3:a:yifangcms:yifang:2.0.5:*:*:*:*:*:*:*
Vendors & Products Yifangcms
Yifangcms yifang

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Yifang
Yifang cms
Vendors & Products Yifang
Yifang cms

Sun, 08 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Description A flaw has been found in YiFang CMS 2.0.5. This affects the function update of the file app/db/admin/D_singlePageGroup.php. Executing a manipulation of the argument Name can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title YiFang CMS D_singlePageGroup.php update cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Yifang Cms
Yifangcms Yifang
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-11T19:40:45.437Z

Reserved: 2026-03-07T20:12:24.097Z

Link: CVE-2026-3743

cve-icon Vulnrichment

Updated: 2026-03-11T19:40:37.738Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-08T15:15:48.987

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-3743

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T10:45:26Z

Weaknesses