CVE-2026-0642
Unknown Unknown - Not Provided
Cross-Site Scripting in House Rental /app/complaint.php

Publication date: 2026-01-07

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was detected in projectworlds House Rental and Property Listing 1.0. This issue affects some unknown processing of the file /app/complaint.php. The manipulation of the argument Name results in cross site scripting. The attack may be launched remotely. The exploit is now public and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-07
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-01-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-0642
EUVD
EUVD-2026-1142
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
projectworlds house_rental_and_property_listing 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-0642 is a Cross-Site Scripting (XSS) vulnerability in version 1.0 of the House Rental and Property Listing project by Projectworlds, specifically in the file /app/complaint.php. The vulnerability occurs because the application directly outputs user input from the 'name' parameter to the web page without proper encoding or filtering. This allows attackers to inject and execute arbitrary JavaScript code in the victim's browser remotely, potentially leading to theft of cookies, session tokens, unauthorized actions, webpage defacement, or redirection to malicious sites. [1, 2, 3]

Impact Analysis

This vulnerability can impact you by allowing attackers to execute malicious scripts in your browser when you visit the affected web application. This can lead to theft of sensitive information such as cookies and session tokens, unauthorized actions performed on your behalf, defacement of web pages, redirection to malicious websites, and potentially full control over your browser session. Exploitation does not require user login or authorization, increasing the risk. [1, 2]

Detection Guidance

This vulnerability can be detected by testing the /app/complaint.php endpoint for reflected cross-site scripting (XSS) via the 'name' parameter. A proof-of-concept payload such as <script>alert('XSS')</script> can be sent via a POST request to /app/complaint.php with the parameter name=<script>alert(123)</script> to check if the script executes. Additionally, vulnerable targets can be identified using Google dorking with the query inurl:app/complaint.php. Example command using curl to test the vulnerability: curl -X POST -d "name=<script>alert(123)</script>" https://targetsite.com/app/complaint.php and then observing if the alert executes or if the script is reflected in the response. [1, 3]

Mitigation Strategies

Immediate mitigation steps include: 1. Implement proper output encoding of user inputs based on context (HTML, JavaScript, CSS, URL) to prevent execution of injected scripts. 2. Enforce strict input validation and filtering to accept only expected input formats and sanitize or reject malicious content such as script tags. 3. Deploy a strict Content Security Policy (CSP) to restrict script sources and prevent execution of unauthorized scripts. 4. Set secure cookie flags such as HttpOnly and Secure to protect sensitive cookies from JavaScript access and ensure secure transmission. 5. Conduct regular security audits and code reviews to detect and remediate XSS vulnerabilities promptly. If possible, consider replacing the affected product with a secure alternative. [1, 3]

Compliance Impact

The provided resources do not explicitly discuss the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA. However, since the vulnerability allows cross-site scripting (XSS) attacks that can lead to theft of sensitive information like cookies and session tokens, it could potentially lead to unauthorized access to personal data, which may affect compliance with data protection regulations. No direct statements about compliance impact are given. [1, 2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-0642. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart