Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.8
YiFang CMS 2.0.5: Unvalidated Input Allows Cross-Site Scripting
CVE-2026-2934
Summary
YiFang CMS versions up to 2.0.5 contain a security flaw that allows a malicious attacker to inject malicious code into the system by submitting unverified input, potentially leading to unauthorized access and actions. This affects the Extended Management Module in the CMS. Update to a patched version of YiFang CMS to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| yifangcms | yifang | <= 2.0.5 | – |
Original title
A security vulnerability has been detected in YiFang CMS up to 2.0.5. This impacts the function update of the file app/db/admin/D_friendLinkGroup.php of the component Extended Management Module. Th...
Original description
A security vulnerability has been detected in YiFang CMS up to 2.0.5. This impacts the function update of the file app/db/admin/D_friendLinkGroup.php of the component Extended Management Module. The manipulation of the argument Name leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used.
nvd CVSS2.0
3.3
nvd CVSS3.1
4.8
nvd CVSS4.0
4.8
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
CWE-94
Code Injection
- https://github.com/ZZCTD/CVE/issues/5 Exploit Issue Tracking Third Party Advisory
- https://vuldb.com/?ctiid.347280 Permissions Required VDB Entry
- https://vuldb.com/?id.347280 Third Party Advisory VDB Entry
- https://vuldb.com/?submit.755296 Third Party Advisory VDB Entry
Published: 22 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026