PatchSiren

QianFox CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

LOW QianFox CVE published 2026-05-27

CVE-2026-9609

A weak password recovery vulnerability exists in QianFox FoxCMS versions up to 1.2.6, specifically within the Edit function of the Admin.php file. The vulnerability allows remote attackers to manipulate password recovery mechanisms, potentially enabling unauthorized account access. The CVSS 4.0 score of 2.0 (LOW severity) reflects the requirement for high privileges (PR:H) to exploit this weakness. The vu [truncated]

LOW QianFox CVE published 2026-05-27

CVE-2026-9608

A stored cross-site scripting (XSS) vulnerability exists in QianFox FoxCMS versions up to and including 1.2.6. The affected endpoint is `/Tag/edit` within the Administrator Backend component. Successful exploitation requires high privileges (administrator access) and user interaction, limiting the attack surface to authenticated administrative sessions. The vulnerability has been publicly disclosed via a [truncated]