{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-29933", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-30T14:56:34.048Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-03-26T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-26T15:10:43.069Z"}, "descriptions": [{"lang": "en", "value": "A reflected cross-site scripting (XSS) vulnerability in the /index/login.html component of YZMCMS v7.4 allows attackers to execute arbitrary Javascript in the context of the user's browser via modifying the referrer value in the request header."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/yzmcms/yzmcms/issues/69"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "references": [{"url": "https://github.com/yzmcms/yzmcms/issues/69", "tags": ["exploit"]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T13:51:39.464968Z", "id": "CVE-2026-29933", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T14:56:34.048Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-29933", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T13:51:39.464968Z"}}}], "references": [{"url": "https://github.com/yzmcms/yzmcms/issues/69", "tags": ["exploit"]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T13:52:00.267Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/yzmcms/yzmcms/issues/69"}], "descriptions": [{"lang": "en", "value": "A reflected cross-site scripting (XSS) vulnerability in the /index/login.html component of YZMCMS v7.4 allows attackers to execute arbitrary Javascript in the context of the user's browser via modifying the referrer value in the request header."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-26T15:10:43.069Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29933", "state": "PUBLISHED", "dateUpdated": "2026-03-30T14:56:34.048Z", "dateReserved": "2026-03-04T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-26T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:yzmcms:yzmcms:7.4:*:*:*:*:*:*:*", "matchCriteriaId": "A6242988-038F-490C-BF15-892EA56E7ACA", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A reflected cross-site scripting (XSS) vulnerability in the /index/login.html component of YZMCMS v7.4 allows attackers to execute arbitrary Javascript in the context of the user's browser via modifying the referrer value in the request header."}, {"lang": "es", "value": "Una vulnerabilidad de cross-site scripting (XSS) reflejada en el componente /index/login.html de YZMCMS v7.4 permite a los atacantes ejecutar Javascript arbitrario en el contexto del navegador del usuario mediante la modificaci\u00f3n del valor del referrer en la cabecera de la solicitud."}], "id": "CVE-2026-29933", "lastModified": "2026-03-31T21:38:24.613", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-26T15:16:35.890", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking", "Mitigation", "Vendor Advisory"], "url": "https://github.com/yzmcms/yzmcms/issues/69"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Issue Tracking", "Mitigation", "Vendor Advisory"], "url": "https://github.com/yzmcms/yzmcms/issues/69"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "7.4"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "yzmcms", "vendor": "yzmcms"}], "analysis": {"en": {"generated_at": "2026-04-01T05:45:11.906473+00:00", "value": {"mitigation_remediation": ["Update or patch YZMCMS to a version that removes the Referrer\u2011based XSS flaw.", "If an update is unavailable, reject or sanitize Referrer headers on the /index/login.html endpoint.", "Implement a strict Content Security Policy that blocks inline scripts and restricts script sources.", "Monitor web traffic and logs for attempts to inject script via the Referrer header and verify that the CSP is enforced."], "summary": {"action": "Patch Now", "impact": "Reflected Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The issue affects the YZMCMS content management system, specifically version 7.4. The vulnerable code resides in the login page component, which is publicly accessible to all users with network connectivity to the application.", "description_and_impact": "A reflected cross\u2011site scripting vulnerability exists in the /index/login.html page of YZMCMS. By altering the Referrer header in a request to that page, an attacker can inject and execute arbitrary JavaScript within the victim\u2019s browser session. This flaw permits client\u2011side code execution that could lead to data theft, credential compromise, or malicious network requests, classified as CWE\u201179.", "risk_and_exploitability": "The nominal CVSS score is 6.1, indicating moderate severity, while the EPSS score is below 1\u202f%, suggesting a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires that the attacker supply a manipulated Referrer header to a victim browser requesting the login page, a scenario that is attainable through phishing or malicious link contexts. Therefore, the risk is moderate with a relatively low likelihood of mass exploitation, but given the potential for credential theft or session hijacking, immediate remediation is advised."}}}}, "created": "2026-03-27T08:36:30.301451+00:00", "title": "YZMCMS v7.4 Reflected XSS via Modified Referrer Header", "updated": "2026-04-02T07:59:00.665752+00:00", "vendors": ["yzmcms", "yzmcms$PRODUCT$yzmcms"]}