{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2200", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-02-07T17:40:53.635Z", "datePublished": "2026-02-09T01:02:05.911Z", "dateUpdated": "2026-02-23T09:52:53.144Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T09:52:53.144Z"}, "title": "heyewei JFinalCMS API Endpoint save cross site scripting", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "Cross Site Scripting"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "Code Injection"}]}], "affected": [{"vendor": "heyewei", "product": "JFinalCMS", "versions": [{"version": "5.0.0", "status": "affected"}], "cpes": ["cpe:2.3:a:heyewei:jfinalcms:*:*:*:*:*:*:*:*"], "modules": ["API Endpoint"]}], "descriptions": [{"lang": "en", "value": "A weakness has been identified in heyewei JFinalCMS 5.0.0. This affects an unknown function of the file /admin/admin/save of the component API Endpoint. Executing a manipulation can lead to cross site scripting. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 2.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 2.4, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 3.3, "vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-02-07T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-02-07T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-02-18T02:23:40.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "chonger123 (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.344903", "name": "VDB-344903 | heyewei JFinalCMS API Endpoint save cross site scripting", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.344903", "name": "VDB-344903 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.750098", "name": "Submit #750098 | heyewei heyewei JFinalcms 5.0.0 Improper Neutralization of Input During Web Page Generation", "tags": ["third-party-advisory"]}, {"url": "https://github.com/zh-010/my_cve/blob/main/heyewei%20JFinalCMS%20XSS.md", "tags": ["exploit"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-09T16:35:00.584536Z", "id": "CVE-2026-2200", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-09T16:35:10.038Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2200", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-09T16:35:00.584536Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-09T16:35:06.794Z"}}], "cna": {"title": "heyewei JFinalCMS API Endpoint save cross site scripting", "credits": [{"lang": "en", "type": "reporter", "value": "chonger123 (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 2.4, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 2.4, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 3.3, "vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR"}}], "affected": [{"cpes": ["cpe:2.3:a:heyewei:jfinalcms:*:*:*:*:*:*:*:*"], "vendor": "heyewei", "modules": ["API Endpoint"], "product": "JFinalCMS", "versions": [{"status": "affected", "version": "5.0.0"}]}], "timeline": [{"lang": "en", "time": "2026-02-07T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-02-07T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-02-18T02:23:40.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.344903", "name": "VDB-344903 | heyewei JFinalCMS API Endpoint save cross site scripting", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.344903", "name": "VDB-344903 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.750098", "name": "Submit #750098 | heyewei heyewei JFinalcms 5.0.0 Improper Neutralization of Input During Web Page Generation", "tags": ["third-party-advisory"]}, {"url": "https://github.com/zh-010/my_cve/blob/main/heyewei%20JFinalCMS%20XSS.md", "tags": ["exploit"]}], "descriptions": [{"lang": "en", "value": "A weakness has been identified in heyewei JFinalCMS 5.0.0. This affects an unknown function of the file /admin/admin/save of the component API Endpoint. Executing a manipulation can lead to cross site scripting. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Cross Site Scripting"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "Code Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T09:52:53.144Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2200", "state": "PUBLISHED", "dateUpdated": "2026-02-23T09:52:53.144Z", "dateReserved": "2026-02-07T17:40:53.635Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-02-09T01:02:05.911Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:heyewei:jfinalcms:5.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "1184ABA1-685A-4CBF-9D88-616116DA2DAC", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in heyewei JFinalCMS 5.0.0. This affects an unknown function of the file /admin/admin/save of the component API Endpoint. Executing a manipulation can lead to cross site scripting. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks."}, {"lang": "es", "value": "Se ha identificado una debilidad en heyewei JFinalCMS 5.0.0. Esto afecta a una funci\u00f3n desconocida del archivo /admin/admin/save del componente API Endpoint. La ejecuci\u00f3n de una manipulaci\u00f3n puede conducir a cross-site scripting. El ataque puede lanzarse remotamente. El exploit se ha puesto a disposici\u00f3n del p\u00fablico y podr\u00eda utilizarse para ataques."}], "id": "CVE-2026-2200", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "MULTIPLE", "availabilityImpact": "NONE", "baseScore": 3.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.4, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.4, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 1.9, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-02-09T02:16:03.557", "references": [{"source": "cna@vuldb.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/zh-010/my_cve/blob/main/heyewei%20JFinalCMS%20XSS.md"}, {"source": "cna@vuldb.com", "tags": ["Permissions Required", "VDB Entry"], "url": "https://vuldb.com/?ctiid.344903"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?id.344903"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?submit.750098"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-94"}], "source": "cna@vuldb.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T13:08:09.435740+00:00", "value": {"mitigation_remediation": ["Upgrade to a patched release of JFinalCMS that addresses the XSS flaw, if such a version exists.", "Implement server\u2011side input validation and output encoding for the /admin/admin/save endpoint to strip or neutralize script tags before storing data.", "Enable a strong Content Security Policy that restricts inline script execution and disallows external script loading from untrusted sources."], "summary": {"action": "Patch Now", "impact": "Stored Cross\u2011Site Scripting (XSS)"}, "threat_synthesis": {"affected_systems": "Systems running the heyewei JFinalCMS 5.0.0 component are affected. The vulnerability is linked to the /admin/admin/save endpoint of the CMS administration area. No other product versions are listed as impacted in the available data.", "description_and_impact": "A vulnerability has been discovered in the 5.0.0 release of heyewei JFinalCMS. When an attacker submits a crafted payload to the /admin/admin/save API endpoint, the system stores the input without proper sanitization, allowing arbitrary JavaScript to be embedded. When that stored content is later rendered in the web application, the injected script runs in the victim\u2019s browser, enabling session hijacking, data theft, or site defacement. The flaw is a stored cross\u2011site scripting (XSS) condition covered by CWE\u201179 and CWE\u201194.", "risk_and_exploitability": "The base CVSS score of 4.8 indicates a moderate risk rating. The EPSS score is reported as less than 1 percent, implying that exploitation is unlikely at this time, and the vulnerability is not included in the CISA KEV catalog. Attackers can initiate the exploit remotely by sending a malicious request to the admin interface; however, the ability to trigger the stored script depends on successful data persistence and subsequent page rendering. Because the flaw resides in an administrative endpoint, it is likely that an attacker would need access to an active admin session to inject the payload, but this is inferred from the description."}}}}, "created": "2026-02-09T10:39:30.680400+00:00", "updated": "2026-04-18T13:15:25.714282+00:00", "vendors": ["heyewei", "heyewei$PRODUCT$jfinalcms"]}