A cross-site scripting vulnerability exists in DouPHP, a lightweight enterprise content management system (CMS) from China DouShell Network Technology. The vulnerability stems from a lack of data validation filtering of user-supplied data and output in the upload function of dmin/show.php. An attacker could use this vulnerability to execute arbitrary Web script or HTML via a crafted image file.