CVE-2026-13529
MediumCVSS 5.6Exploitation Probability (EPSS)
Low risk15th percentile — higher than 15% of all known CVEs
Summary
A SQL injection vulnerability was found in YzmCMS up to version 7.5 in the file /application/install/index.php. The attack involves manipulating the siteurl argument and can be executed remotely, though it is considered difficult to exploit. The exploit has been publicly disclosed.
Risk Assessment
Successful exploitation could allow an attacker to inject malicious SQL code, leading to data leakage or modification. Despite the high complexity, the public exploit increases the risk of attack.
Recommendation
Immediately update YzmCMS to the latest version beyond 7.5 or apply temporary mitigations such as input validation for siteurl. Monitor logs for unusual SQL queries.
Original NVD description (English source)
A vulnerability was determined in YzmCMS up to 7.5. This affects an unknown function of the file /application/install/index.php. Executing a manipulation of the argument siteurl can lead to sql injection. The attack can be executed remotely. A high complexity level is associated with this attack. The exploitability is reported as difficult. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

