CVE-2026-0642
Cross-Site Scripting in House Rental /app/complaint.php
Publication date: 2026-01-07
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| projectworlds | house_rental_and_property_listing | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-0642 is a Cross-Site Scripting (XSS) vulnerability in version 1.0 of the House Rental and Property Listing project by Projectworlds, specifically in the file /app/complaint.php. The vulnerability occurs because the application directly outputs user input from the 'name' parameter to the web page without proper encoding or filtering. This allows attackers to inject and execute arbitrary JavaScript code in the victim's browser remotely, potentially leading to theft of cookies, session tokens, unauthorized actions, webpage defacement, or redirection to malicious sites. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to execute malicious scripts in your browser when you visit the affected web application. This can lead to theft of sensitive information such as cookies and session tokens, unauthorized actions performed on your behalf, defacement of web pages, redirection to malicious websites, and potentially full control over your browser session. Exploitation does not require user login or authorization, increasing the risk. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the /app/complaint.php endpoint for reflected cross-site scripting (XSS) via the 'name' parameter. A proof-of-concept payload such as <script>alert('XSS')</script> can be sent via a POST request to /app/complaint.php with the parameter name=<script>alert(123)</script> to check if the script executes. Additionally, vulnerable targets can be identified using Google dorking with the query inurl:app/complaint.php. Example command using curl to test the vulnerability: curl -X POST -d "name=<script>alert(123)</script>" https://targetsite.com/app/complaint.php and then observing if the alert executes or if the script is reflected in the response. [1, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1. Implement proper output encoding of user inputs based on context (HTML, JavaScript, CSS, URL) to prevent execution of injected scripts. 2. Enforce strict input validation and filtering to accept only expected input formats and sanitize or reject malicious content such as script tags. 3. Deploy a strict Content Security Policy (CSP) to restrict script sources and prevent execution of unauthorized scripts. 4. Set secure cookie flags such as HttpOnly and Secure to protect sensitive cookies from JavaScript access and ensure secure transmission. 5. Conduct regular security audits and code reviews to detect and remediate XSS vulnerabilities promptly. If possible, consider replacing the affected product with a secure alternative. [1, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not explicitly discuss the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA. However, since the vulnerability allows cross-site scripting (XSS) attacks that can lead to theft of sensitive information like cookies and session tokens, it could potentially lead to unauthorized access to personal data, which may affect compliance with data protection regulations. No direct statements about compliance impact are given. [1, 2, 3]