Skip to main content

Yzmcms CVE-2026-29933

| EUVD-2026-16209 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-03-26 cve@mitre.org GHSA-m982-7wj6-525g
XSS Yzmcms
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 26, 2026 - 15:22 euvd
EUVD-2026-16209
Analysis Generated
Mar 26, 2026 - 15:22 vuln.today
CVE Published
Mar 26, 2026 - 15:16 nvd
MEDIUM 6.1

DescriptionCVE.org

A reflected cross-site scripting (XSS) vulnerability in the /index/login.html component of YZMCMS v7.4 allows attackers to execute arbitrary Javascript in the context of the user's browser via modifying the referrer value in the request header.

AnalysisAI

YZMCMS v7.4 suffers from a reflected cross-site scripting (XSS) vulnerability in the /index/login.html component that permits attackers to execute arbitrary JavaScript in a user's browser by manipulating the referrer value in request headers. Remote attackers can exploit this to steal session credentials, perform actions on behalf of authenticated users, or redirect users to malicious sites without requiring prior authentication. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment This vulnerability presents moderate real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a phishing email containing a link to the YZMCMS login page with an injected JavaScript payload in the referrer header parameter. When a user clicks the link, the payload executes in their browser context, stealing the session cookie or login credentials. …
Remediation Upgrade YZMCMS to a patched version once released by the vendor; consult the GitHub issue at https://github.com/yzmcms/yzmcms/issues/69 for patch availability and timeline. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-29933 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy