Skip to main content

FoxCMS CVE-2026-9608

| EUVDEUVD-2026-32028 LOW
Cross-site Scripting (XSS) (CWE-79)
2026-05-27 cna@vuldb.com GHSA-jrpj-9599-5gw6
1.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
1.9 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 21:30 vuln.today

DescriptionCVE.org

A vulnerability was determined in QianFox FoxCMS up to 1.2.6. The impacted element is an unknown function of the file /Tag/edit of the component Administrator Backend. Executing a manipulation can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Cross-site scripting in QianFox FoxCMS versions 1.2.0 through 1.2.6 allows a high-privileged attacker to inject malicious JavaScript via the /Tag/edit endpoint in the Administrator Backend, executing in the context of another user's browser session upon interaction. A proof-of-concept exploit has been publicly disclosed via a GitHub issue report, though the vendor has not yet acknowledged or responded to the disclosure. The CVSS 4.0 score of 1.9 and EPSS of 0.03% (9th percentile) reflect the severe prerequisite constraints - administrator-level authentication and passive user interaction - which sharply limit real-world exploitability.

Technical ContextAI

FoxCMS is a PHP-based content management system maintained under the QianFox project on GitHub. The vulnerability manifests in the tag editing functionality at the /Tag/edit route within the administrator backend component, classified under CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-Site Scripting). The root cause is insufficient sanitization or encoding of user-supplied input before it is rendered back into the HTML document, enabling injection of executable script content. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:H/UI:P) confirms this is a network-reachable endpoint with no special attack requirements beyond administrator-level credentials. Affected versions span the entire 1.2.x release line from 1.2.0 to 1.2.6, as confirmed by ENISA EUVD-2026-32028.

RemediationAI

No vendor-released patch has been identified at time of analysis - the project was notified through a public GitHub issue (https://github.com/QianFox/FoxCMS/issues/2) but has not responded. Organizations running FoxCMS 1.2.x should monitor the upstream repository at https://github.com/QianFox/FoxCMS/ for any patch release. As a compensating control, restrict access to the Administrator Backend exclusively to trusted, named administrators via network-layer controls such as IP allowlisting or VPN requirement, which reduces the attack surface to insider threat only. Deploying a web application firewall rule to detect and block XSS payloads in POST parameters targeting /Tag/edit can provide additional defense; note this may produce false positives for legitimate tag content containing angle brackets. Content Security Policy (CSP) headers can be introduced at the web server layer to limit the impact of any injected scripts by restricting script execution origins, though this requires careful tuning to avoid breaking existing admin panel functionality.

Share

CVE-2026-9608 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy