Executive Summary

CVE-2026-38935 is a reflected Cross-Site Scripting (XSS) vulnerability found in the diskover-community application, specifically in the public/view.php file in versions up to and including 2.3.5.

The vulnerability occurs because the doctype parameter from user input ($_REQUEST) is not properly sanitized and is directly echoed into HTML href attributes at eight different points in the code.

This allows an attacker to craft a malicious URL that injects arbitrary JavaScript code, which executes in the victim's browser when they visit the URL.

For example, an attacker can inject a script that steals the user's session cookies, including the PHPSESSID, enabling full session hijacking.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows an attacker to perform reflected cross-site scripting (XSS) attacks that can lead to full session hijacking of authenticated users, including administrators. This can result in unauthorized access to sensitive user data and session information.

Such unauthorized access and potential data exposure can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information against unauthorized access and breaches.

Specifically, the exposure of session cookies (e.g., PHPSESSID) through XSS can lead to data breaches, violating confidentiality and integrity requirements mandated by these regulations.

Useful 0 Not Useful 0

Impact Analysis

The primary impact of this vulnerability is full session hijacking for authenticated users, including administrators.

An attacker can steal session cookies by injecting malicious scripts, allowing them to impersonate the victim and gain unauthorized access to their account.

This can lead to unauthorized actions within the application, data theft, and potentially full account takeover, especially when combined with other vulnerabilities like CSRF (CVE-2026-38934).

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing the diskover-community application for reflected cross-site scripting (XSS) in the public/view.php file, specifically by injecting payloads into the doctype parameter.

A practical detection method is to craft and visit URLs that include a script injection in the doctype parameter, such as:

• http://TARGET/view.php?id=testfile1&index=diskover-test&doctype=\"><script>alert(document.cookie)</script>

If the alert with the document cookie appears, it confirms the presence of the vulnerability.

For automated or command-line testing, you can use curl or similar tools to send requests and inspect responses for reflected script tags or payloads.

• curl -i "http://TARGET/view.php?id=testfile1&index=diskover-test&doctype=\"><script>alert(document.cookie)</script>"

Look for the injected script in the response HTML to confirm vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include sanitizing the doctype parameter in the public/view.php file to prevent script injection.

• Modify the PHP code to use htmlspecialchars on the doctype parameter with ENT_QUOTES and UTF-8 encoding, for example: echo htmlspecialchars($_REQUEST['doctype'], ENT_QUOTES, 'UTF-8');

Additionally, implement a Content Security Policy (CSP) header to restrict script execution, such as:

• Content-Security-Policy: default-src 'self'

These steps help prevent arbitrary JavaScript execution and reduce the risk of session hijacking.

Useful 0 Not Useful 0