BEECMS cross site scripting
Description
UNSUPPORTED WHEN ASSIGNED A vulnerability, which was classified as problematic, was found in BEECMS 4.0. This affects an unknown part of the file /admin/admin_content_tag.php?action=save_content. The manipulation of the argument tag leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-240915. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
BEECMS 4.0 admin panel has a stored XSS vulnerability via the tag parameter in admin_content_tag.php, allowing remote attackers to inject arbitrary scripts.
Vulnerability
A stored cross-site scripting (XSS) vulnerability exists in BEECMS 4.0, an unsupported product. The flaw is located in the file /admin/admin_content_tag.php with the action=save_content parameter. The tag argument is not properly sanitized before being stored, allowing an attacker to inject arbitrary JavaScript code. This vulnerability affects BEECMS 4.0 only [1].
Exploitation
An attacker with administrative access to the BEECMS admin panel can send a POST request to /admin/admin_content_tag.php?action=save_content with a malicious payload in the tag parameter (e.g., `). The payload is stored in the database. When an administrator subsequently visits the content list page at /admin/admin_content_tag.php?action=content_list`, the injected script executes in the context of the admin session [1].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the browser of an authenticated admin user. This can lead to session hijacking, defacement of the admin panel, or theft of sensitive data displayed in the admin interface. The impact is limited to the admin area, but given that the product is unsupported, there is no official fix [1].
Mitigation
BEECMS 4.0 is a discontinued and unsupported version. No official patch exists for this vulnerability. Users are strongly advised to upgrade to a supported version of the software or migrate to an alternative content management system. Until then, restrict administrative access to trusted users only and monitor for unusual activity [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- BEECMS/BEECMSdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/zhenjiaqi/CVE/issues/1mitreexploitissue-tracking
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.