Description
A security flaw has been discovered in Yifang CMS up to 2.0.5. The impacted element is the function store of the file plugins/yifang_backend_account/logic/admin/L_rbac_admin.php of the component Extended Management Module. The manipulation of the argument Account results in cross site scripting. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-20
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross Site Scripting
Action: Patch
AI Analysis

Impact

A cross‑site scripting flaw resides in the store function of the Extended Management Module of Yifang CMS, specifically in the file plugins/yifang_backend_account/logic/admin/L_rbac_admin.php. By manipulating the Account argument, an attacker can inject arbitrary JavaScript that will be executed in the browsers of users who view the affected page. The injected code may steal session cookies, deface the site, or perform other malicious actions. The flaw is executable remotely, and the corresponding exploit has already been released publicly.

Affected Systems

Versions of Yifang CMS up to and including 2.0.5 are affected. No higher‑version data is provided, and the vendor has not responded to the disclosure. The vulnerability resides in the Extended Management Module supplied by Yifang:CMS.

Risk and Exploitability

The CVSS score of 5.1 places this issue in the medium severity range. EPSS and KEV data are not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be remote, as the description specifies that the exploitation can be performed from outside the system. An attacker only needs to send a crafted request containing the malicious Account parameter to trigger the XSS payload. Once the script runs in a victim’s browser, confidentiality, integrity, and availability of user accounts on the affected site can be compromised.

Generated by OpenCVE AI on April 20, 2026 at 13:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Yifang CMS to a version newer than 2.0.5 if one is available; otherwise, contact the vendor for a patch.
  • Implement strict input validation or sanitization for the Account parameter to reject scripts and enforce allowed character sets.
  • Restrict access to the L_rbac_admin.php endpoint by requiring proper authentication and, if feasible, applying network‑level controls or a web application firewall that filters out XSS payloads.

Generated by OpenCVE AI on April 20, 2026 at 13:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Yifang
Yifang cms
Vendors & Products Yifang
Yifang cms

Mon, 20 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 12:00:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in Yifang CMS up to 2.0.5. The impacted element is the function store of the file plugins/yifang_backend_account/logic/admin/L_rbac_admin.php of the component Extended Management Module. The manipulation of the argument Account results in cross site scripting. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title Yifang CMS Extended Management L_rbac_admin.php store cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Yifang Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-20T13:01:44.244Z

Reserved: 2026-04-19T19:12:49.575Z

Link: CVE-2026-6633

cve-icon Vulnrichment

Updated: 2026-04-20T12:54:40.403Z

cve-icon NVD

Status : Received

Published: 2026-04-20T12:16:09.303

Modified: 2026-04-20T12:16:09.303

Link: CVE-2026-6633

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T13:30:05Z

Weaknesses