CVE-2026-32843
Reflected XSS in Linkit ONE PM25.php Enables Remote Script Execution
Publication date: 2026-03-19
Last updated on: 2026-03-19
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linkit | location_aware_sensor_system | to f06bd20 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the PM25.php endpoint for reflected cross-site scripting (XSS) by injecting malicious JavaScript payloads into the GET parameters: site, city, district, channel, or apikey.'}, {'type': 'paragraph', 'content': 'One way to detect it is by crafting URLs with script payloads in these parameters and observing if the script executes in the browser.'}, {'type': 'paragraph', 'content': 'For example, you can use curl or wget commands to send requests with suspicious payloads and check the response for unencoded script tags.'}, {'type': 'list_item', 'content': 'curl "http://target/PM25.php?site=<script>alert(1)</script>"'}, {'type': 'list_item', 'content': 'curl "http://target/PM25.php?city=<script>alert(1)</script>"'}, {'type': 'list_item', 'content': 'curl "http://target/PM25.php?district=<script>alert(1)</script>"'}, {'type': 'list_item', 'content': 'curl "http://target/PM25.php?channel=<script>alert(1)</script>"'}, {'type': 'list_item', 'content': 'curl "http://target/PM25.php?apikey=<script>alert(1)</script>"'}, {'type': 'paragraph', 'content': 'If the response contains the injected script without proper encoding or sanitization, the vulnerability is present.'}] [1]
Can you explain this vulnerability to me?
CVE-2026-32843 is a reflected cross-site scripting (XSS) vulnerability found in the Location Aware Sensor System by Linkit ONE, specifically in the PM25.php file. This vulnerability allows remote attackers to inject and execute arbitrary JavaScript code by manipulating certain GET parameters such as site, city, district, channel, or apikey with malicious payloads. When a victim visits a crafted URL containing these payloads, the injected scripts run in their browser, potentially compromising their security.
How can this vulnerability impact me? :
This vulnerability can impact users by allowing attackers to execute arbitrary JavaScript in their browsers when they visit a maliciously crafted URL. This can lead to theft of sensitive information such as cookies or session tokens, unauthorized actions performed on behalf of the user, or redirection to malicious sites. Since the attack requires user interaction (visiting the malicious URL), it can be used in phishing or social engineering attacks to compromise user security.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include sanitizing and encoding all user-supplied input in the PM25.php file, especially the GET parameters site, city, district, channel, and apikey.
Until a patch or update is applied, restrict access to the vulnerable endpoint or implement a web application firewall (WAF) to block requests containing suspicious script payloads.
Additionally, educate users to avoid clicking on suspicious links that may contain malicious payloads.