CVE-2026-2159
Remote XSS in SourceCodester Tourism Website Registration Module
Publication date: 2026-02-08
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| oretnom23 | simple_responsive_tourism_website | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-2159 is a cross-site scripting (XSS) vulnerability found in SourceCodester Simple Responsive Tourism Website version 1.0, specifically in the registration functionality handled by the file `/tourism/classes/Master.php?f=register`.'}, {'type': 'paragraph', 'content': 'The vulnerability arises from improper neutralization of user-controllable input in the parameters `firstname`, `lastname`, and `username`. This flaw allows an attacker to inject malicious scripts that are executed in the context of other users viewing the affected web pages.'}, {'type': 'paragraph', 'content': 'It can be exploited remotely without requiring any authentication, although it requires some form of user interaction by the victim.'}, {'type': 'paragraph', 'content': "The attack technique involves injecting malicious JavaScript code that executes in the victim's browser, compromising data integrity."}] [1, 3]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "Successful exploitation of this vulnerability enables arbitrary script execution within the victim's browser context."}, {'type': 'list_item', 'content': 'Session hijacking'}, {'type': 'list_item', 'content': 'Theft of sensitive information such as cookies or session tokens'}, {'type': 'list_item', 'content': 'Website defacement'}, {'type': 'list_item', 'content': 'Redirection to malicious sites'}, {'type': 'paragraph', 'content': 'This vulnerability directly threatens user privacy and application security by compromising data integrity.'}] [1, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the registration functionality of the affected web application, specifically by injecting malicious scripts into the firstname, lastname, or username parameters in the /tourism/classes/Master.php?f=register endpoint.'}, {'type': 'paragraph', 'content': 'A common detection method is to send HTTP requests with JavaScript payloads in these parameters and observe if the script is executed or reflected in the response without proper neutralization.'}, {'type': 'paragraph', 'content': 'Example command using curl to test the firstname parameter for XSS:'}, {'type': 'list_item', 'content': "curl -X POST 'http://target-site/tourism/classes/Master.php?f=register' -d 'firstname=<script>alert(1)</script>&lastname=test&username=testuser'"}, {'type': 'paragraph', 'content': 'If the alert script executes or the payload is reflected unescaped in the response, the vulnerability is present.'}] [1, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include replacing the affected component with an alternative product, as no known mitigations or countermeasures have been documented.
Additionally, applying input validation, sanitization, and output encoding on the firstname, lastname, and username parameters can help prevent script injection.
Until a patch or fix is available, restricting access to the vulnerable registration endpoint or disabling the registration feature temporarily can reduce exposure.