Description
A vulnerability was determined in QianFox FoxCMS up to 1.2.6. The impacted element is an unknown function of the file /Tag/edit of the component Administrator Backend. Executing a manipulation can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-05-27
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A cross‑site scripting (XSS) flaw exists in the Administrator Backend of QianFox FoxCMS within the /Tag/edit endpoint. When a specially crafted input is submitted to this component, the application renders the payload without proper escaping, allowing arbitrary JavaScript to execute in the browser context of anyone who views the affected page. This vulnerability enables the execution of client‑side scripts but does not grant direct code execution on the server or compromise operating system. The weakness is categorized as CWE‑79 (Unvalidated or incorrectly validated input) and CWE‑94 (Improper Parsing of Input).

Affected Systems

The vulnerability affects QianFox FoxCMS versions up to and including 1.2.6. Any installation that includes the Editor module at /Tag/edit for the Administrator Backend is potentially vulnerable. No public patch has been released and the vendor has not yet responded to the issue report.

Risk and Exploitability

Based on the description, it is inferred that the attack can be launched remotely by submitting the malicious input, and no specific authentication or administrative privileges are mentioned, implying that any user who can reach the /Tag/edit endpoint could attempt exploitation. The CVSS score of 4.8 indicates moderate severity, while the EPSS score is not available, so the probability of exploitation cannot be quantified from the data provided. The vulnerability is not listed in the CISA KEV catalog, and no confirmed public exploits are cited in the references.

Generated by OpenCVE AI on May 27, 2026 at 03:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor patch or upgrade to a FoxCMS version released after 1.2.6 once it becomes available.
  • Modify the /Tag/edit handler to perform strict input validation and to escape or filter all user‑supplied data before rendering it in the response, addressing the CWE‑79 weakness.
  • Restrict access to the /Tag/edit endpoint to authenticated administrators only and enforce least‑privilege access controls, mitigating the impact of potential exploitation.

Generated by OpenCVE AI on May 27, 2026 at 03:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 01:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in QianFox FoxCMS up to 1.2.6. The impacted element is an unknown function of the file /Tag/edit of the component Administrator Backend. Executing a manipulation can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.
Title QianFox FoxCMS Administrator Backend edit cross site scripting
First Time appeared Qianfox
Qianfox foxcms
Weaknesses CWE-79
CWE-94
CPEs cpe:2.3:a:qianfox:foxcms:*:*:*:*:*:*:*:*
Vendors & Products Qianfox
Qianfox foxcms
References
Metrics cvssV2_0

{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Qianfox Foxcms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-27T13:37:53.894Z

Reserved: 2026-05-26T16:23:28.581Z

Link: CVE-2026-9608

cve-icon Vulnrichment

Updated: 2026-05-27T13:37:43.979Z

cve-icon NVD

Status : Deferred

Published: 2026-05-27T02:16:35.247

Modified: 2026-05-27T14:50:47.627

Link: CVE-2026-9608

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T04:00:12Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  • CWE-94

    Improper Control of Generation of Code ('Code Injection')