Overview
CVE-2026-29933 describes a reflected cross-site scripting (XSS) vulnerability in YZMCMS v7.4, where an attacker could manipulate the Referer header value in /index/login.html to inject arbitrary JavaScript. This is a classic CWE-79 reflect-based injection: untrusted input is echoed into HTML without proper escaping, enabling script execution in the victim's browser. The real-world impact is user session compromise, credential theft, and possible trust manipulation, especially in login or authentication pages that render header-derived content back to the user. While the CVE centers on YZMCMS, the underlying flaw-reflecting header or other user-controlled data into HTML without escaping-maps directly to how injection vulnerabilities manifest in Go (Gin) applications when proper safeguards are not applied.
Code Fix Example
Go (Gin) API Security Remediation
package main
import (
"bytes"
"html/template"
"net/http"
"github.com/gin-gonic/gin"
)
func main() {
r := gin.Default()
r.GET("/vuln-login", loginVulnerable)
r.GET("/fix-login", loginFixed)
r.Run(":8080")
}
func loginVulnerable(c *gin.Context) {
// Vulnerable: reflect Referer header directly into HTML without escaping
ref := c.Request.Referer()
html := "<html><body>Referrer: " + ref + "</body></html>"
c.Data(http.StatusOK, "text/html; charset=utf-8", []byte(html))
}
func loginFixed(c *gin.Context) {
// Fixed: escape user-controlled data using html/template
ref := c.Request.Referer()
tmpl := template.Must(template.New("login").Parse("<html><body>Referrer: {{.Ref}}</body></html>"))
var buf bytes.Buffer
if err := tmpl.Execute(&buf, map[string]string{"Ref": ref}); err != nil {
c.String(http.StatusInternalServerError, "server error")
return
}
c.Data(http.StatusOK, "text/html; charset=utf-8", buf.Bytes())
}