CVE-2026-0580
Remote Cross-Site Scripting in SourceCodester API Key Manager
Publication date: 2026-01-05
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sourcecodester | api_key_manager_app | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-0580 is a cross-site scripting (XSS) vulnerability in the SourceCodester API Key Manager App version 1.0, specifically in the Import Key Handler component. The application improperly sanitizes user input when importing keys, allowing attackers to inject malicious JavaScript code into fields such as "tags" or "id". When the application loads these imported keys, the malicious scripts execute in the context of the user's browser, potentially compromising user data or enabling unauthorized actions. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability allows remote attackers to execute arbitrary JavaScript code in the context of the application within a user's browser. This can lead to unauthorized actions, data compromise, or manipulation of the application's behavior. Since the attack requires user interaction, it can be exploited to steal sensitive information, hijack user sessions, or perform actions on behalf of the user without their consent. [1, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to import a specially crafted JSON payload containing malicious JavaScript code in the 'id' or 'tags' fields to the SourceCodester API Key Manager App's import keys functionality. For example, importing a JSON file with a payload like `{ "id": "\"><img src=x onerror=alert(1);><span data-id=\"" }` can trigger the XSS if the application is vulnerable. Detection involves monitoring the application's response to such payloads and checking for execution of JavaScript alerts or prompts. There are no specific network commands provided, but testing the import functionality with crafted JSON payloads is the suggested approach. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding the use of the vulnerable import keys functionality or disabling it if possible. Since no known countermeasures or patches are currently available, it is recommended to replace the affected product with an alternative that does not have this vulnerability. Additionally, restricting user privileges to limit who can import keys and monitoring for suspicious activity can help reduce risk. [3]