CVE-2026-0580
Unknown Unknown - Not Provided
Remote Cross-Site Scripting in SourceCodester API Key Manager

Publication date: 2026-01-05

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was found in SourceCodester API Key Manager App 1.0. Affected by this vulnerability is an unknown functionality of the component Import Key Handler. Performing a manipulation results in cross site scripting. The attack can be initiated remotely.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-05
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-01-05
EPSS Evaluated
2026-06-14
NVD
CVE-2026-0580
EUVD
EUVD-2026-0904
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sourcecodester api_key_manager_app 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-0580 is a cross-site scripting (XSS) vulnerability in the SourceCodester API Key Manager App version 1.0, specifically in the Import Key Handler component. The application improperly sanitizes user input when importing keys, allowing attackers to inject malicious JavaScript code into fields such as "tags" or "id". When the application loads these imported keys, the malicious scripts execute in the context of the user's browser, potentially compromising user data or enabling unauthorized actions. [1, 2, 3]

Impact Analysis

This vulnerability allows remote attackers to execute arbitrary JavaScript code in the context of the application within a user's browser. This can lead to unauthorized actions, data compromise, or manipulation of the application's behavior. Since the attack requires user interaction, it can be exploited to steal sensitive information, hijack user sessions, or perform actions on behalf of the user without their consent. [1, 3]

Detection Guidance

This vulnerability can be detected by attempting to import a specially crafted JSON payload containing malicious JavaScript code in the 'id' or 'tags' fields to the SourceCodester API Key Manager App's import keys functionality. For example, importing a JSON file with a payload like `{ "id": "\"><img src=x onerror=alert(1);><span data-id=\"" }` can trigger the XSS if the application is vulnerable. Detection involves monitoring the application's response to such payloads and checking for execution of JavaScript alerts or prompts. There are no specific network commands provided, but testing the import functionality with crafted JSON payloads is the suggested approach. [1, 2]

Mitigation Strategies

Immediate mitigation steps include avoiding the use of the vulnerable import keys functionality or disabling it if possible. Since no known countermeasures or patches are currently available, it is recommended to replace the affected product with an alternative that does not have this vulnerability. Additionally, restricting user privileges to limit who can import keys and monitoring for suspicious activity can help reduce risk. [3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-0580. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart