CVE-2026-30526
Reflected XSS in SourceCodester Zoo Management System Login
Publication date: 2026-04-01
Last updated on: 2026-04-07
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pushpam02 | zoo_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-30526 is a Reflected Cross-Site Scripting (XSS) vulnerability found in the Zoo Management System version 1.0, specifically on the login page within the msg parameter.
The vulnerability occurs because the application reflects the content of the msg parameter back to the user without proper HTML encoding or sanitization.
This allows remote attackers to inject arbitrary HTML or JavaScript code via a crafted URL, which is then executed by the victim's browser when the login page loads.
For example, an attacker can use a payload like `<img src="x" onerror="alert(119843)">` to trigger JavaScript execution.
How can this vulnerability impact me? :
This vulnerability can have several impacts including:
- Session hijacking by stealing user session cookies.
- Phishing attacks through fake login forms presented to users.
- Redirection of users to malicious websites.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the login page's msg parameter for reflected script execution. You can craft a URL with a JavaScript payload in the msg parameter and observe if the script executes in the browser.
For example, you can use the following curl command to send a request with a malicious payload:
- curl -i "http://<target-ip>:<port>/public_html/login?msg=%3Cimg%20src=%22x%22%20onerror=%22alert(119843)%22%3E"
If the response contains the injected HTML or JavaScript code without proper encoding, and the browser executes the script (such as showing an alert box), the vulnerability is present.
Alternatively, you can manually visit the crafted URL in a browser to see if the alert box with the number 119843 appears, confirming the reflected XSS.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include sanitizing and properly encoding the msg parameter on the login page to prevent execution of injected scripts.
Specifically, ensure that any user-supplied input reflected in the HTML response is HTML-encoded or escaped to neutralize any embedded scripts.
If you have access to the source code, apply input validation and output encoding on the msg parameter before rendering it on the page.
As a temporary workaround, you can also implement Web Application Firewall (WAF) rules to detect and block requests containing suspicious script payloads in the msg parameter.
Additionally, educate users to avoid clicking on suspicious links containing crafted msg parameters until a patch or fix is applied.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The Reflected Cross-Site Scripting (XSS) vulnerability in the Zoo Management System allows attackers to inject arbitrary scripts that can lead to session hijacking, phishing, and redirection to malicious sites.
Such security weaknesses can compromise the confidentiality and integrity of user data, potentially leading to unauthorized access or data breaches.
This can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require organizations to protect personal and sensitive information against unauthorized access and ensure secure handling of user data.