CVE-2026-0586
Remote XSS in code-projects Online Product Reservation System
Publication date: 2026-01-05
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| code-projects | online_product_reservation_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a reflected Cross-Site Scripting (XSS) flaw in version 1.0 of the code-projects Online Product Reservation System. It occurs in the file handgunner-administrator/prod.php, specifically involving the 'cat' argument. The system improperly neutralizes user input, embedding it directly into JavaScript code without proper sanitization or encoding. This allows an attacker to inject and execute arbitrary JavaScript code in the browsers of users who access the affected functionality. The attack can be carried out remotely and requires user interaction. [1, 2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to execute malicious scripts in the browsers of your users. This can lead to unauthorized actions performed on behalf of users, manipulation of web content, or theft of sensitive information such as session tokens. Although it does not directly compromise confidentiality or availability, it affects data integrity and user trust. The vulnerability can be exploited remotely without authentication but requires user interaction. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability can be detected by checking for the presence of the vulnerable file handgunner-administrator/prod.php and testing the 'cat' argument for reflected cross-site scripting (XSS) by injecting scripts and observing if they are executed. Additionally, vulnerable targets can be identified using Google dorking with the query: inurl:handgunner-administrator/prod.php. Specific commands for detection are not provided, but using web vulnerability scanners or manual testing with crafted HTTP requests targeting the 'cat' parameter can help detect the issue. [2]
What immediate steps should I take to mitigate this vulnerability?
No known countermeasures or mitigations have been documented for this vulnerability. It is suggested to replace the affected product with an alternative solution to mitigate the risk. Until a patch or fix is available, restricting access to the vulnerable functionality or applying web application firewall (WAF) rules to block malicious input targeting the 'cat' parameter may help reduce exposure. [2]