{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-29933", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-26T15:10:43.069Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-03-26T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-26T15:10:43.069Z"}, "descriptions": [{"lang": "en", "value": "A reflected cross-site scripting (XSS) vulnerability in the /index/login.html component of YZMCMS v7.4 allows attackers to execute arbitrary Javascript in the context of the user's browser via modifying the referrer value in the request header."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/yzmcms/yzmcms/issues/69"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}}, "dataVersion": "5.2"}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A reflected cross-site scripting (XSS) vulnerability in the /index/login.html component of YZMCMS v7.4 allows attackers to execute arbitrary Javascript in the context of the user's browser via modifying the referrer value in the request header."}], "id": "CVE-2026-29933", "lastModified": "2026-03-26T15:16:35.890", "metrics": {}, "published": "2026-03-26T15:16:35.890", "references": [{"source": "cve@mitre.org", "url": "https://github.com/yzmcms/yzmcms/issues/69"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Received"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "7.4"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "yzmcms", "vendor": "yzmcms"}], "analysis": {"en": {"generated_at": "2026-03-26T17:52:59.740582+00:00", "value": {"mitigation_remediation": ["Apply the latest YZMCMS release that addresses the XSS issue", "If no patch is available, configure the web server to strip or encode the Referrer header before it reaches the application", "Implement a WAF rule that rejects payloads containing JavaScript delimiters in the Referrer header", "Educate developers to sanitize all HTTP headers and escape output before embedding it in HTML", "Monitor logs for attempts to inject script via Referrer headers"], "summary": {"action": "Apply Patch", "impact": "Arbitrary User Browser Script Execution"}, "threat_synthesis": {"affected_systems": "YZMCMS version 7.4 is the only product affected; no other vendors are listed.", "description_and_impact": "A reflected cross\u2011site scripting flaw exists in the login form of YZMCMS version 7.4. The bug permits an attacker to embed malicious JavaScript through the HTTP Referrer header, which the application reflects back in the login page without proper escaping. When the vulnerable page renders, the script executes in the victim\u2019s browser with the privileges of the authenticated user, enabling session hijacking, credential theft, or site defacement.", "risk_and_exploitability": "No publicly available exploit probability score exists, and the flaw is not documented in the CISA known exploited vulnerability list. Attackers must send a crafted Referrer header to a user who visits the login page. Because the payload runs with the victim\u2019s user privileges, the risk is high until a patch is applied. Proper sanitization or removal of the Referrer header would mitigate the flaw."}}}}, "created": "2026-03-27T08:36:30.301451+00:00", "title": "Reflected XSS via Referrer Header in YZMCMS Login Page", "updated": "2026-03-27T09:29:10.715426+00:00", "vendors": ["yzmcms", "yzmcms$PRODUCT$yzmcms"], "weaknesses": ["CWE-79"]}