CVE-2026-15202
Received Received - Intake

Stored XSS in YzmCMS via HTTP_HOST Header

Vulnerability report for CVE-2026-15202, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: VulDB

Description

A security vulnerability has been detected in YzmCMS up to 7.5. Affected is the function get_url of the file /yzmphp/yzmphp.php of the component Header Handler. The manipulation of the argument HTTP_HOST leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
yzmcms yzmcms to 7.5 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in YzmCMS up to version 7.5 and involves the get_url function in the Header Handler component. It arises because the application uses the HTTP_HOST header from incoming requests without proper validation or sanitization.

An attacker can manipulate the HTTP_HOST header to inject malicious scripts, leading to a Cross-Site Scripting (XSS) attack. This means that when the application constructs URLs using this untrusted header, it can inadvertently include harmful code.

The attack can be initiated remotely without authentication, exploiting the improper handling of the Host header in the framework's bootstrap file, which affects URL generation and template rendering.

Impact Analysis

Exploitation of this vulnerability can lead to several security issues including session hijacking, where attackers steal user sessions; web cache poisoning, which can serve malicious content to users; phishing attacks by injecting deceptive content; and general content injection that compromises the integrity of the website.

Since the vulnerability requires no authentication and can be triggered remotely, it poses a significant risk to both the website operators and its users.

Detection Guidance

This vulnerability can be detected by checking if the application improperly uses the HTTP Host header without validation, which can be tested by sending HTTP requests with manipulated Host headers and observing if the response reflects the injected value.

A simple way to test this is by using curl to send a request with a custom Host header and checking if the response contains the injected script or altered content.

  • curl -H "Host: <script>alert(1)</script>" http://target-website/yzmphp/yzmphp.php
  • Observe the response for any reflected script tags or unusual content indicating cross-site scripting.

Additionally, monitoring web server logs for unusual or suspicious Host header values can help detect exploitation attempts.

Compliance Impact

The vulnerability in YzmCMS allows for Cross-Site Scripting (XSS) via Host Header Injection, which can lead to session hijacking, phishing attacks, and content injection. Such security issues can undermine the confidentiality and integrity of user data.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, vulnerabilities that enable unauthorized access or manipulation of user data can potentially violate requirements for data protection, user privacy, and secure handling of information mandated by these regulations.

Therefore, if exploited, this vulnerability could negatively impact compliance with common security and privacy standards by exposing users to risks such as data theft or unauthorized actions.

Mitigation Strategies

Immediate mitigation involves validating the HTTP Host header against a whitelist of trusted domains to prevent injection of malicious scripts.

Alternatively, configure the application to use a fixed, trusted domain name from its settings instead of relying on the HTTP Host header.

If possible, apply any available patches or updates from the vendor addressing this vulnerability.

In the absence of vendor response, consider implementing web application firewall (WAF) rules to block requests with suspicious Host headers.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15202. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart