CVE-2020-28146

MEDIUM

Eyoucms < 1.4.7 - Cross-Site Scripting via addonfieldext Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-28146. PoCs published by China Banking and Insurance Information Technology Management Co..

AI-analyzed exploit summary This exploit demonstrates a persistent XSS vulnerability in EyouCMS 1.4.6 by injecting malicious JavaScript into the 'addonFieldExt[content]' parameter. The payload triggers an alert with the victim's cookies when rendered.

Description

Cross Site Scripting (XSS) vulnerability exists in Eyoucms v1.4.7 and earlier via the addonfieldext parameter.

Exploits (1)

exploitdb WORKING POC
by China Banking and Insurance Information Technology Management Co. · textwebappsphp
https://www.exploit-db.com/exploits/48530

This exploit demonstrates a persistent XSS vulnerability in EyouCMS 1.4.6 by injecting malicious JavaScript into the 'addonFieldExt[content]' parameter. The payload triggers an alert with the victim's cookies when rendered.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: EyouCMS V1.4.6
Auth required
Prerequisites: Valid user session (users_id cookie) · Access to the article_add endpoint
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
https://www.exploit-db.com/exploits/48530
Exploit, Issue Tracking, Third Party Advisory x_refsource_misc
https://github.com/eyoucms/eyoucms/issues/12
Exploit, Vendor Advisory x_refsource_misc
https://www.eyoucms.com/ask/list_1_0/4511.html

Scores

CVSS v3 6.1
EPSS 0.0146
EPSS Percentile 70.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
eyoucms/eyoucms < 1.4.7
Published Aug 18, 2021
Tracked Since Feb 18, 2026