CVE-2026-9608
Cross-Site Scripting in QianFox FoxCMS
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| qianfox | foxcms | to 1.2.6 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-9608 is a stored cross-site scripting (XSS) vulnerability in QianFox FoxCMS up to version 1.2.6, specifically affecting the /Tag/edit function in the Administrator Backend component.
The vulnerability arises because the application does not properly validate or sanitize user input on the server side, allowing attackers to store malicious HTML or JavaScript code in the database.
When administrators or other users access the affected pages, the malicious scripts execute in their browsers, enabling stored XSS attacks.
The system relies only on frontend input length restrictions, which can be bypassed, exposing a lack of proper server-side validation.
How can this vulnerability impact me? :
Exploitation of this vulnerability can allow attackers to execute malicious scripts in the browsers of administrators or users accessing the affected pages.
- Steal sensitive data such as cookies or authentication tokens.
- Impersonate administrators to gain unauthorized access.
- Modify backend content, potentially altering site data or functionality.
- Conduct phishing attacks by injecting deceptive content.
- Cause database issues by submitting overly long inputs.
If malicious content is displayed on frontend pages, regular users may also be impacted.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability involves stored cross-site scripting (XSS) in FoxCMS's tag-related features due to improper server-side input validation and sanitization.
Detection can be performed by testing the affected modules (tag, tag group, hotword group, and custom hotword features) for the presence of stored malicious HTML or JavaScript payloads.
You can attempt to inject typical XSS payloads into input fields related to tags or hotwords and then verify if the payload executes when accessing the affected pages in the administrator backend.
- Use curl or similar tools to send crafted POST requests with XSS payloads to the /Tag/edit endpoint.
- Example curl command to test injection (replace URL and parameters accordingly):
- curl -X POST -d "tag=<script>alert('XSS')</script>" https://your-foxcms-site.com/Tag/edit -b cookie.txt -c cookie.txt
- After injection, access the admin interface and check if the script executes.
Additionally, review logs or use web vulnerability scanners that support stored XSS detection targeting the FoxCMS tag management endpoints.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Implement server-side input validation and length restrictions to prevent malicious data from being stored.
- Enforce input allowlisting and sanitize all user inputs on the server side.
- Properly encode output to avoid unsafe rendering of HTML or JavaScript.
- Clean existing stored data to remove any previously injected malicious scripts.
- Apply a Content Security Policy (CSP) to restrict the execution of unauthorized scripts.
Since the project has not yet responded with a patch, these steps can help reduce the risk until an official fix is released.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in QianFox FoxCMS allows stored cross-site scripting (XSS) attacks that can lead to the theft of sensitive data such as cookies or tokens, impersonation of administrators, and unauthorized modification of backend content.
Such security weaknesses can impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.
Exploitation of this vulnerability could result in unauthorized access to sensitive information, potentially violating data protection requirements and leading to non-compliance with these regulations.
Mitigation measures such as proper server-side input validation, output encoding, and Content Security Policy implementation are necessary to reduce the risk and help maintain compliance.