{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-29933", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-30T14:56:34.048Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-03-26T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-26T15:10:43.069Z"}, "descriptions": [{"lang": "en", "value": "A reflected cross-site scripting (XSS) vulnerability in the /index/login.html component of YZMCMS v7.4 allows attackers to execute arbitrary Javascript in the context of the user's browser via modifying the referrer value in the request header."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/yzmcms/yzmcms/issues/69"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "references": [{"url": "https://github.com/yzmcms/yzmcms/issues/69", "tags": ["exploit"]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T13:51:39.464968Z", "id": "CVE-2026-29933", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T14:56:34.048Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-29933", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T13:51:39.464968Z"}}}], "references": [{"url": "https://github.com/yzmcms/yzmcms/issues/69", "tags": ["exploit"]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T13:52:00.267Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/yzmcms/yzmcms/issues/69"}], "descriptions": [{"lang": "en", "value": "A reflected cross-site scripting (XSS) vulnerability in the /index/login.html component of YZMCMS v7.4 allows attackers to execute arbitrary Javascript in the context of the user's browser via modifying the referrer value in the request header."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-26T15:10:43.069Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29933", "state": "PUBLISHED", "dateUpdated": "2026-03-30T14:56:34.048Z", "dateReserved": "2026-03-04T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-26T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A reflected cross-site scripting (XSS) vulnerability in the /index/login.html component of YZMCMS v7.4 allows attackers to execute arbitrary Javascript in the context of the user's browser via modifying the referrer value in the request header."}, {"lang": "es", "value": "Una vulnerabilidad de cross-site scripting (XSS) reflejada en el componente /index/login.html de YZMCMS v7.4 permite a los atacantes ejecutar Javascript arbitrario en el contexto del navegador del usuario mediante la modificaci\u00f3n del valor del referrer en la cabecera de la solicitud."}], "id": "CVE-2026-29933", "lastModified": "2026-03-30T15:16:25.753", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-26T15:16:35.890", "references": [{"source": "cve@mitre.org", "url": "https://github.com/yzmcms/yzmcms/issues/69"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/yzmcms/yzmcms/issues/69"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "7.4"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "yzmcms", "vendor": "yzmcms"}], "analysis": {"en": {"generated_at": "2026-03-27T22:08:10.353062+00:00", "value": {"mitigation_remediation": ["Apply an updated version of YZMCMS that removes the Referrer-based reflection in the login page.", "If no update is available, configure the web server or application to strip or sanitize the Referrer header before it reaches the login page.", "Deploy a web application firewall rule or input sanitizer to escape Referrer values if they reach the browser.", "Verify that the login page does not echo any user\u2011controlled headers and review other components for similar issues.", "Educate users about unexpected links to the login page and the risks of phishing."], "summary": {"action": "Patch", "impact": "Arbitrary JavaScript execution in users' browsers"}, "threat_synthesis": {"affected_systems": "All installations of YZMCMS version 7.4 that expose the /index/login.html page are vulnerable. No other vendors or product versions were identified in the advisory. The flaw resides in the login component and affects any user who accesses or is redirected to that page.", "description_and_impact": "YZMCMS v7.4 contains a reflected cross\u2011site scripting flaw in its /index/login.html component. An attacker can influence the HTTP Referrer header to inject malicious JavaScript that the login page renders, allowing arbitrary code execution in any visitor's browser. This can lead to session hijacking, credential theft, or malicious redirects. The weakness maps to common reflected XSS (CWE\u201179).", "risk_and_exploitability": "The overall likelihood of exploitation is estimated at less than 1 percent, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog. Exploitation requires only the ability to craft a request with a malicious Referrer header and direct a victim to the login page, which can be done through social\u2011engineering or phishing. Because the attack can be carried out without special privileges, the risk is moderate; sites with high traffic or sensitive data should treat it as high priority."}}}}, "created": "2026-03-27T08:36:30.301451+00:00", "title": "Reflected XSS via Referrer Header in YZMCMS 7.4", "updated": "2026-03-29T20:28:09.914517+00:00", "vendors": ["yzmcms", "yzmcms$PRODUCT$yzmcms"], "weaknesses": ["CWE-79"]}