CVE-2026-6633 Overview
CVE-2026-6633 is a cross-site scripting (XSS) vulnerability affecting Yifang CMS up to version 2.0.5. The flaw resides in the store function of plugins/yifang_backend_account/logic/admin/L_rbac_admin.php, part of the Extended Management Module. Attackers can manipulate the Account argument to inject client-side script that executes in an authenticated administrator's browser session. The vulnerability is exploitable remotely and requires low-privileged authentication plus user interaction. Public exploit details have been released. The vendor was contacted prior to disclosure but did not respond.
Critical Impact
Authenticated attackers can inject script into the admin interface of Yifang CMS 2.0.5, enabling session abuse and administrative actions performed in the victim's context.
Affected Products
- Yifang CMS versions up to and including 2.0.5
- Component: Extended Management Module (plugins/yifang_backend_account)
- File: plugins/yifang_backend_account/logic/admin/L_rbac_admin.php
Discovery Timeline
- 2026-04-20 - CVE-2026-6633 published to NVD
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2026-6633
Vulnerability Analysis
The vulnerability is a stored or reflected cross-site scripting flaw classified under [CWE-79]. It exists in the role-based access control (RBAC) administration logic of Yifang CMS. When an administrator submits the account creation or update form, the store function in L_rbac_admin.php processes the Account parameter without sufficient output encoding or input sanitization. An attacker with low-privileged backend access can submit payloads containing HTML or JavaScript that later render in the administrative interface.
The attack requires user interaction, meaning a privileged user must view the affected page for the payload to execute. Once triggered, the script runs with the privileges of the viewing user in the application origin.
Root Cause
The root cause is missing or inadequate neutralization of user-supplied input in the Account field handled by the store method. Yifang CMS does not apply context-aware HTML escaping before reflecting the value into the admin response, allowing arbitrary JavaScript to be parsed by the browser.
Attack Vector
Exploitation occurs over the network against the Yifang CMS administrative backend. The attacker authenticates with a low-privilege account and submits a malicious Account value through the Extended Management Module. When a higher-privileged administrator opens the affected view, the injected script executes. Technical details are available in the GitHub CVE Issue Discussion and the VulDB #358267 entry.
No verified proof-of-concept code is reproduced here. Refer to the linked references for payload specifics.
Detection Methods for CVE-2026-6633
Indicators of Compromise
- Unexpected HTML tags or <script> fragments stored in the Account field of RBAC admin records.
- Outbound HTTP requests from administrator browser sessions to attacker-controlled domains shortly after viewing the user management page.
- Anomalous administrative actions (privilege grants, account creation) performed without corresponding interactive sessions.
Detection Strategies
- Inspect web server access logs for POST requests to endpoints invoking L_rbac_admin.php containing encoded angle brackets, javascript: URIs, or event handler attributes in the Account parameter.
- Deploy web application firewall (WAF) rules that flag XSS signatures targeting the Yifang backend account routes.
- Review the RBAC account table in the database for entries containing HTML or script syntax in account name columns.
Monitoring Recommendations
- Enable Content Security Policy (CSP) violation reporting on the admin interface and forward reports to centralized logging.
- Monitor admin session cookies and authentication tokens for use from unexpected IP ranges or user agents.
- Audit creation and modification events for backend accounts and correlate with the submitting user's role.
How to Mitigate CVE-2026-6633
Immediate Actions Required
- Restrict access to the Yifang CMS administrative backend to trusted IP ranges using network or reverse-proxy ACLs.
- Revoke or audit low-privileged backend accounts that are not strictly required, since exploitation requires authenticated access.
- Review the RBAC account table and remove any records containing HTML or JavaScript content in the Account field.
Patch Information
No vendor patch is available at the time of publication. The vendor did not respond to disclosure attempts according to the VulDB #358267 entry. Track the upstream project for future releases beyond version 2.0.5.
Workarounds
- Place the administrative interface behind a WAF with rules that block angle brackets, javascript: schemes, and common event handler attributes in the Account parameter.
- Require administrators to use isolated browser profiles or dedicated management workstations when accessing the Yifang CMS backend.
- Enforce a strict Content Security Policy that disallows inline scripts on backend admin pages to reduce the impact of injected payloads.
# Example nginx rule to block angle brackets in the Account parameter
location ~* /plugins/yifang_backend_account/ {
if ($args ~* "Account=.*(%3C|%3E|<|>|javascript:)") {
return 403;
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
