CVE-2026-6633: XSS Vulnerability in Yifang CMS Exposes Users to Remote Attacks

Severity: Medium (Score: 51.9)

Sources: radar.offseq.com, db.gcve.eu, cve.akaoma.com

Summary

A cross-site scripting (XSS) vulnerability, identified as CVE-2026-6633, has been discovered in Yifang CMS versions up to 2.0.5. The flaw resides in the store function of the file plugins/yifang_backend_account/logic/admin/L_rbac_admin.php within the Extended Management Module. Attackers can exploit this vulnerability by manipulating the Account argument, allowing them to execute malicious scripts remotely. The vulnerability has a medium severity rating with a CVSS score of 5.1. Public exploit code is now available, increasing the risk of attacks, although no active exploitation has been confirmed in the wild. The vendor has not responded to disclosure attempts, and no official patch or remediation is currently available. Users are advised to implement web application firewall (WAF) rules and monitor for suspicious activity. Regular checks for updates from the vendor are recommended. Key Points: • CVE-2026-6633 affects Yifang CMS versions up to 2.0.5, allowing remote XSS attacks. • Public exploit code is available, increasing the risk of exploitation despite no confirmed attacks. • The vendor has not responded to disclosure attempts and no patch is currently available.

Key Entities

• XSS (vulnerability)
• CVE-2026-6633 (cve)
• Cwe-79 - Cross-site Scripting (xss) (cwe)
• Yifang CMS (platform)