Cross-Site Scripting Vulnerability in QianFox FoxCMS Administrator Backend
CVE-2026-9608

4.8MEDIUM

Key Information:

Vendor: Qianfox
Status: Foxcms
Vendor: CVE Published:; 27 May 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-9608?

A cross-site scripting vulnerability exists in QianFox FoxCMS version 1.2.6, specifically within an unknown function of the /Tag/edit file in the Administrator Backend. This vulnerability allows for remote exploitation through manipulation of specific inputs, potentially leading to unauthorized script execution in the user’s browser. Public disclosure of this exploit increases its risk profile, and although the project was notified of this issue through an issue report, no response has been recorded to address the concern.

Affected Version(s)

FoxCMS 1.2.0

FoxCMS 1.2.1

FoxCMS 1.2.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-9608 - Proof of Concept

References

https://vuldb.com/vuln/365681

vdb-entry

https://vuldb.com/vuln/365681/cti

signaturepermissions-required

https://vuldb.com/submit/818342

third-party-advisory

CVSS V4

Score:

4.8

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
May 27, 2026
👾
Exploit known to exist
May 27, 2026
Vulnerability published
May 27, 2026
Vulnerability Reserved
May 26, 2026

Credit

lzihan (VulDB User)

VulDB CNA Team

CVE-2026-9608 Data

JSON

Qianfox

Badges

What is CVE-2026-9608?

Affected Version(s)

Exploit Proof of Concept (PoC)

References

CVSS V4

Timeline

Credit