CVE-2026-2159
Analyzed Analyzed - Analysis Complete
Remote XSS in SourceCodester Tourism Website Registration Module

Publication date: 2026-02-08

Last updated on: 2026-04-29

Assigner: VulDB

Description
A flaw has been found in SourceCodester Simple Responsive Tourism Website 1.0. Affected is an unknown function of the file /tourism/classes/Master.php?f=register of the component Registration. Executing a manipulation of the argument firstname/lastname/username can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been published and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-08
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-02-08
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2159
EUVD
EUVD-2026-5790
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
oretnom23 simple_responsive_tourism_website 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-2159 is a cross-site scripting (XSS) vulnerability found in SourceCodester Simple Responsive Tourism Website version 1.0, specifically in the registration functionality handled by the file `/tourism/classes/Master.php?f=register`.'}, {'type': 'paragraph', 'content': 'The vulnerability arises from improper neutralization of user-controllable input in the parameters `firstname`, `lastname`, and `username`. This flaw allows an attacker to inject malicious scripts that are executed in the context of other users viewing the affected web pages.'}, {'type': 'paragraph', 'content': 'It can be exploited remotely without requiring any authentication, although it requires some form of user interaction by the victim.'}, {'type': 'paragraph', 'content': "The attack technique involves injecting malicious JavaScript code that executes in the victim's browser, compromising data integrity."}] [1, 3]

Impact Analysis

[{'type': 'paragraph', 'content': "Successful exploitation of this vulnerability enables arbitrary script execution within the victim's browser context."}, {'type': 'list_item', 'content': 'Session hijacking'}, {'type': 'list_item', 'content': 'Theft of sensitive information such as cookies or session tokens'}, {'type': 'list_item', 'content': 'Website defacement'}, {'type': 'list_item', 'content': 'Redirection to malicious sites'}, {'type': 'paragraph', 'content': 'This vulnerability directly threatens user privacy and application security by compromising data integrity.'}] [1, 3]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the registration functionality of the affected web application, specifically by injecting malicious scripts into the firstname, lastname, or username parameters in the /tourism/classes/Master.php?f=register endpoint.'}, {'type': 'paragraph', 'content': 'A common detection method is to send HTTP requests with JavaScript payloads in these parameters and observe if the script is executed or reflected in the response without proper neutralization.'}, {'type': 'paragraph', 'content': 'Example command using curl to test the firstname parameter for XSS:'}, {'type': 'list_item', 'content': "curl -X POST 'http://target-site/tourism/classes/Master.php?f=register' -d 'firstname=<script>alert(1)</script>&lastname=test&username=testuser'"}, {'type': 'paragraph', 'content': 'If the alert script executes or the payload is reflected unescaped in the response, the vulnerability is present.'}] [1, 3]

Mitigation Strategies

Immediate mitigation steps include replacing the affected component with an alternative product, as no known mitigations or countermeasures have been documented.

Additionally, applying input validation, sanitization, and output encoding on the firstname, lastname, and username parameters can help prevent script injection.

Until a patch or fix is available, restricting access to the vulnerable registration endpoint or disabling the registration feature temporarily can reduce exposure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2159. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart