Cross Site Scripting Vulnerability in YzmCMS by YzmCMS
CVE-2026-15202
Key Information:
Badges
What is CVE-2026-15202?
A security flaw has been identified in the YzmCMS component 'Header Handler' in versions up to 7.5, specifically within the get_url function located in the yzmphp.php file. This vulnerability arises from improper validation of the HTTP_HOST argument, allowing attackers to perform cross-site scripting (XSS). This can enable unauthorized remote exploitation, potentially leading to the theft of sensitive information or session hijacking. Despite early notification to the vendor regarding this security issue, no response has been received.
Affected Version(s)
YzmCMS 7.0
YzmCMS 7.1
YzmCMS 7.2
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V4
Timeline
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
Vulnerability published
Vulnerability Reserved
