CVE-2026-3763
Remote XSS Vulnerability in Simple Flight Ticket Booking System
Publication date: 2026-03-08
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| carmelo | simple_flight_ticket_booking_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-3763 is a Stored Cross-Site Scripting (XSS) vulnerability found in version 1.0 of the Simple Flight Ticket Booking System, specifically in the file showhistory.php.
The vulnerability arises because the application directly outputs database fields into HTML without applying any sanitization or encoding functions like htmlspecialchars(). This improper output encoding allows malicious HTML or JavaScript code stored in the database fields to execute when the showhistory.php page is loaded.
An attacker can inject malicious JavaScript code into flight booking fields (e.g., the departure field) via a crafted GET request, which is then stored and later executed in the browser of any user viewing the booking history page.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability allows attackers to execute arbitrary JavaScript code in the context of the victim's browser session when they visit the affected booking history page."}, {'type': 'list_item', 'content': 'Attackers can hijack user sessions.'}, {'type': 'list_item', 'content': 'Phishing attacks can be facilitated by injecting malicious scripts.'}, {'type': 'list_item', 'content': 'Unauthorized actions can be performed on behalf of the user.'}, {'type': 'paragraph', 'content': 'Because the exploit is stored and triggered when users view the page, any user who accesses the booking history after the malicious payload is injected is at risk.'}] [1, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to inject a stored cross-site scripting payload into flight booking fields such as the departure field and then observing if the payload executes when visiting the showhistory.php page.'}, {'type': 'paragraph', 'content': 'A practical detection method involves sending a crafted GET request to inject a payload, for example:'}, {'type': 'list_item', 'content': 'GET /Adminupdate.php?flightno=AA100&departure=<img src=x onerror=alert(1)>'}, {'type': 'paragraph', 'content': 'After injecting the payload and completing a paid booking for the flight, visiting /showhistory.php will trigger the execution of the injected JavaScript if the system is vulnerable.'}, {'type': 'paragraph', 'content': 'Additionally, attackers or testers can use Google Dork queries such as "inurl:showhistory.php" to identify potentially vulnerable targets.'}] [1, 2, 3]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The primary mitigation is to apply proper output encoding on all dynamic content rendered by showhistory.php to prevent injection of malicious HTML or JavaScript.'}, {'type': 'paragraph', 'content': "Specifically, use PHP's htmlspecialchars() function with appropriate flags to encode all database fields before output, for example:"}, {'type': 'list_item', 'content': 'echo "<td>" . htmlspecialchars($row[\'company\'], ENT_QUOTES, \'UTF-8\') . " " . htmlspecialchars($row[\'type\'], ENT_QUOTES, \'UTF-8\') . "</td>";'}, {'type': 'list_item', 'content': 'echo "<td>" . htmlspecialchars($row[\'departure\'], ENT_QUOTES, \'UTF-8\') . "</td>";'}, {'type': 'list_item', 'content': 'echo "<td>" . htmlspecialchars($row[\'arrival\'], ENT_QUOTES, \'UTF-8\') . "</td>";'}, {'type': 'paragraph', 'content': 'A helper function can be implemented to simplify this encoding process.'}, {'type': 'paragraph', 'content': 'For additional defense-in-depth, implementing a Content Security Policy (CSP) that blocks inline scripts is recommended to reduce the impact if escaping is incomplete.'}, {'type': 'paragraph', 'content': 'If immediate patching is not possible, consider replacing the affected component with an alternative product or restricting access to the vulnerable page.'}] [3, 2]