CVE-2026-2965 MEDIUM

CVE-2026-2965: 07FLYCMS/07FLY-CMS/07FlyCRM System Extension edit.html cross site scripting

Vendor N/A
Product 07FLYCMS
Weakness CWE-79 · XSS
Published February 23, 2026
Last update February 23, 2026
View on NVD All CVEs

CVSS base score

4.8/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

A security flaw has been discovered in 07FLYCMS, 07FLY-CMS and 07FlyCRM up to 1.2.9. The affected element is an unknown function of the file /admin/SysModule/edit.html of the component System Extension Module. Performing a manipulation of the argument Title results in cross site scripting. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. This product is published under multiple names. The vendor was contacted early about this disclosure but did not respond in any way.

Key dates

02Disclosure timeline

February 23, 2026 CVE published
February 23, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-64221 WordPress Reservation Plugin plugin <= 1.6 - Cross Site Scripting (XSS) vulnerability CVE-2025-22547 WordPress JK Html To Pdf plugin <= 1.0.0 - CSRF to Stored XSS vulnerability CVE-2021-24991 WooCommerce PDF Invoices & Packing Slips < 2.10.5 - Reflected Cross-Site Scripting CVE-2022-45065 WordPress SEO Plugin by Squirrly SEO Plugin <= 12.1.20 is vulnerable to Cross Site Scripting (XSS) CVE-2024-4310 Cross-site Scripting (XSS) vulnerability in HubBank