VYPR
← All advisories
Low severity2.4NVD Advisory· Published May 27, 2026

CVE-2026-9608

CVE-2026-9608

Description

A vulnerability was determined in QianFox FoxCMS up to 1.2.6. The impacted element is an unknown function of the file /Tag/edit of the component Administrator Backend. Executing a manipulation can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS in FoxCMS ≤1.2.6 via tag editing allows remote attackers to inject scripts, with no vendor response.

Vulnerability

The vulnerability is a stored cross-site scripting (XSS) in QianFox FoxCMS versions up to 1.2.6. The affected endpoint is /Tag/edit in the Administrator Backend. User input in the tag name field is not sanitized server-side and is stored in the database without proper HTML encoding. When an administrator views the tag list or related pages, the stored script executes. The issue also affects tag groups, hotword groups, and custom hotwords as detailed in the public issue report [2]. The vendor has not responded to the report [1].

Exploitation

An attacker needs access to the Administrator Backend, but the description states the attack can be launched remotely. Since the vulnerability is in the admin panel, an attacker would need valid admin credentials or trick an admin into performing actions. However, the issue report [2] demonstrates that the input length validation is only client-side, allowing an attacker to bypass it by modifying requests. The attacker can inject a payload such as `` into the tag name field. Upon saving, the payload is stored and executed when any admin visits the tag management page.

Impact

Successful exploitation leads to execution of arbitrary JavaScript in the context of the admin's browser. This can result in session hijacking, defacement, or theft of sensitive data displayed on the admin panel. The CVSS score is 2.4 (Low) due to the requirement of admin privileges and the limited scope of impact, but the stored nature increases persistence.

Mitigation

As of the publication date (2026-05-27), no official fix has been released. The vendor was informed via an issue report [2] but has not responded. Users should consider disabling the affected functionality or implementing a web application firewall (WAF) rule to block malicious payloads. Upgrading to a patched version is not possible until the vendor releases an update. The CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.

References
  1. GitHub - QianFox/FoxCMS
  2. Stored XSS Vulnerabilities in Tag, Tag Group, Hotword Group, and Custom Hotword Features

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Qianfox/Foxcmsreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: <=1.2.6

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"User input in tag, tag group, hotword group, and custom hotword fields is not sanitized or HTML-escaped on the server side before storage and display, enabling stored cross-site scripting."

Attack vector

An attacker with administrative backend access (PR:H) can inject malicious HTML/JavaScript into tag, tag group, hotword group, or custom hotword fields [ref_id=2]. The input is stored in the database without server-side sanitization or HTML escaping, and when an administrator views the affected list or detail page, the payload executes in their browser [ref_id=2]. The attack requires the victim to interact with the crafted page (UI:R) and is launched remotely over the network (AV:N) [ref_id=1].

Affected code

The vulnerability affects the `/Tag/edit` endpoint in the Administrator Backend of FoxCMS up to version 1.2.6 [ref_id=1]. The issue also extends to tag group, hotword group, and custom hotword management features [ref_id=2]. No specific function names or file paths beyond `/Tag/edit` are identified in the bundle.

What the fix does

No patch has been published by the vendor; the project was notified via an issue report but has not responded [ref_id=1]. The researcher recommends three server-side remediations: add length validation on the backend (not just the client), implement an input whitelist allowing only safe characters (Chinese, English, digits, spaces, underscores, hyphens), and HTML-entity-encode all user-supplied data when rendering pages [ref_id=2]. Additionally, using a Content-Security-Policy header and sanitizing any already-stored malicious data is advised [ref_id=2].

Preconditions

  • authAttacker must have valid administrator backend credentials (PR:H)
  • configTarget must be running FoxCMS version 1.2.6 or earlier
  • networkAttacker must be able to reach the /Tag/edit endpoint over the network
  • inputPayload is submitted via the tag name, tag group name, hotword group name, or custom hotword fields

Reproduction

1. Log in to the FoxCMS administrator backend. 2. Navigate to the Tag management section and access `/Tag/edit`. 3. In the tag name field, enter `

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.