CVE-2026-9608
Deferred Deferred - Pending Action
Cross-Site Scripting in QianFox FoxCMS

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: VulDB

Description
A vulnerability was determined in QianFox FoxCMS up to 1.2.6. The impacted element is an unknown function of the file /Tag/edit of the component Administrator Backend. Executing a manipulation can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-9608
EUVD
EUVD-2026-32028
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
qianfox foxcms to 1.2.6 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-9608 is a stored cross-site scripting (XSS) vulnerability in QianFox FoxCMS up to version 1.2.6, specifically affecting the /Tag/edit function in the Administrator Backend component.

The vulnerability arises because the application does not properly validate or sanitize user input on the server side, allowing attackers to store malicious HTML or JavaScript code in the database.

When administrators or other users access the affected pages, the malicious scripts execute in their browsers, enabling stored XSS attacks.

The system relies only on frontend input length restrictions, which can be bypassed, exposing a lack of proper server-side validation.

Impact Analysis

Exploitation of this vulnerability can allow attackers to execute malicious scripts in the browsers of administrators or users accessing the affected pages.

  • Steal sensitive data such as cookies or authentication tokens.
  • Impersonate administrators to gain unauthorized access.
  • Modify backend content, potentially altering site data or functionality.
  • Conduct phishing attacks by injecting deceptive content.
  • Cause database issues by submitting overly long inputs.

If malicious content is displayed on frontend pages, regular users may also be impacted.

Detection Guidance

The vulnerability involves stored cross-site scripting (XSS) in FoxCMS's tag-related features due to improper server-side input validation and sanitization.

Detection can be performed by testing the affected modules (tag, tag group, hotword group, and custom hotword features) for the presence of stored malicious HTML or JavaScript payloads.

You can attempt to inject typical XSS payloads into input fields related to tags or hotwords and then verify if the payload executes when accessing the affected pages in the administrator backend.

  • Use curl or similar tools to send crafted POST requests with XSS payloads to the /Tag/edit endpoint.
  • Example curl command to test injection (replace URL and parameters accordingly):
  • curl -X POST -d "tag=<script>alert('XSS')</script>" https://your-foxcms-site.com/Tag/edit -b cookie.txt -c cookie.txt
  • After injection, access the admin interface and check if the script executes.

Additionally, review logs or use web vulnerability scanners that support stored XSS detection targeting the FoxCMS tag management endpoints.

Mitigation Strategies

Immediate mitigation steps include:

  • Implement server-side input validation and length restrictions to prevent malicious data from being stored.
  • Enforce input allowlisting and sanitize all user inputs on the server side.
  • Properly encode output to avoid unsafe rendering of HTML or JavaScript.
  • Clean existing stored data to remove any previously injected malicious scripts.
  • Apply a Content Security Policy (CSP) to restrict the execution of unauthorized scripts.

Since the project has not yet responded with a patch, these steps can help reduce the risk until an official fix is released.

Compliance Impact

The vulnerability in QianFox FoxCMS allows stored cross-site scripting (XSS) attacks that can lead to the theft of sensitive data such as cookies or tokens, impersonation of administrators, and unauthorized modification of backend content.

Such security weaknesses can impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.

Exploitation of this vulnerability could result in unauthorized access to sensitive information, potentially violating data protection requirements and leading to non-compliance with these regulations.

Mitigation measures such as proper server-side input validation, output encoding, and Content Security Policy implementation are necessary to reduce the risk and help maintain compliance.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9608. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart