Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was determined in QianFox FoxCMS up to 1.2.6. The impacted element is an unknown function of the file /Tag/edit of the component Administrator Backend. Executing a manipulation can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.
AnalysisAI
Cross-site scripting in QianFox FoxCMS versions 1.2.0 through 1.2.6 allows a high-privileged attacker to inject malicious JavaScript via the /Tag/edit endpoint in the Administrator Backend, executing in the context of another user's browser session upon interaction. A proof-of-concept exploit has been publicly disclosed via a GitHub issue report, though the vendor has not yet acknowledged or responded to the disclosure. The CVSS 4.0 score of 1.9 and EPSS of 0.03% (9th percentile) reflect the severe prerequisite constraints - administrator-level authentication and passive user interaction - which sharply limit real-world exploitability.
Technical ContextAI
FoxCMS is a PHP-based content management system maintained under the QianFox project on GitHub. The vulnerability manifests in the tag editing functionality at the /Tag/edit route within the administrator backend component, classified under CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-Site Scripting). The root cause is insufficient sanitization or encoding of user-supplied input before it is rendered back into the HTML document, enabling injection of executable script content. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:H/UI:P) confirms this is a network-reachable endpoint with no special attack requirements beyond administrator-level credentials. Affected versions span the entire 1.2.x release line from 1.2.0 to 1.2.6, as confirmed by ENISA EUVD-2026-32028.
RemediationAI
No vendor-released patch has been identified at time of analysis - the project was notified through a public GitHub issue (https://github.com/QianFox/FoxCMS/issues/2) but has not responded. Organizations running FoxCMS 1.2.x should monitor the upstream repository at https://github.com/QianFox/FoxCMS/ for any patch release. As a compensating control, restrict access to the Administrator Backend exclusively to trusted, named administrators via network-layer controls such as IP allowlisting or VPN requirement, which reduces the attack surface to insider threat only. Deploying a web application firewall rule to detect and block XSS payloads in POST parameters targeting /Tag/edit can provide additional defense; note this may produce false positives for legitimate tag content containing angle brackets. Content Security Policy (CSP) headers can be introduced at the web server layer to limit the impact of any injected scripts by restricting script execution origins, though this requires careful tuning to avoid breaking existing admin panel functionality.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32028
GHSA-jrpj-9599-5gw6