CVE-2026-2200 MEDIUM

CVE-2026-2200: heyewei JFinalCMS API Endpoint save cross site scripting

Vendor Heyewei

Product JFinalCMS

Weakness CWE-79 · XSS

Published February 9, 2026

Last update February 23, 2026

View on NVD All CVEs

CVSS base score

4.8/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

A weakness has been identified in heyewei JFinalCMS 5.0.0. This affects an unknown function of the file /admin/admin/save of the component API Endpoint. Executing a manipulation can lead to cross site scripting. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks.

Key dates

02Disclosure timeline

February 9, 2026 CVE published

February 23, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-2200 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2024-52462 WordPress WP e-Commerce Style Email plugin <= 0.6.2 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2024-47524 LibreNMS has Stored Cross-site Scripting vulnerability in "Device Group" Name CVE-2025-3435 MangBoard WP <= 1.8.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via Board Header And Footer CVE-2024-10832 Posti Shipping <= 3.10.3 - Reflected Cross-Site Scripting CVE-2026-45465 Microsoft SharePoint Server Spoofing Vulnerability