CVE-2026-38940
Received Received - Intake
Cross Site Scripting in TOKO-ONLINE-ROTI v1.0

Publication date: 2026-04-30

Last updated on: 2026-04-30

Assigner: MITRE

Description
Cross Site Scripting vulnerability in RafyMrX TOKO-ONLINE-ROTI v.1.0 allows a remote attacker to execute arbitrary code via the detail_produk.php component
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-30
Last Modified
2026-04-30
Generated
2026-06-16
AI Q&A
2026-04-30
EPSS Evaluated
2026-06-15
NVD
CVE-2026-38940
EUVD
EUVD-2026-26388
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
rafymrx toko-online-roti 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Cross Site Scripting (XSS) issue found in RafyMrX TOKO-ONLINE-ROTI version 1.0. It allows a remote attacker to execute arbitrary code by exploiting the detail_produk.php component.

Impact Analysis

An attacker exploiting this vulnerability can execute arbitrary code remotely, which may lead to unauthorized actions such as stealing user data, hijacking user sessions, or injecting malicious scripts into the application.

Compliance Impact

The Cross Site Scripting (XSS) vulnerability in RafyMrX TOKO-ONLINE-ROTI v1.0 allows attackers to execute arbitrary code, potentially leading to session hijacking and unauthorized actions. Such security weaknesses can result in unauthorized access to sensitive user data.

This exposure could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.

Failure to mitigate this vulnerability may lead to violations of these regulations due to insufficient data protection and could result in legal and financial consequences.

Detection Guidance

This vulnerability can be detected by testing the /TOKO-ONLINE-ROTI/detail_produk.php component for reflected Cross-Site Scripting (XSS) in the 'produk' parameter.

A common detection method is to inject a simple JavaScript payload, such as <script>alert(1)</script>, into the 'produk' parameter and observe if the script is reflected and executed in the response.

For example, you can use curl or a browser to send a request like:

  • curl "http://[target]/TOKO-ONLINE-ROTI/detail_produk.php?produk=<script>alert(1)</script>"

If the alert script executes or the payload appears unencoded in the response, the vulnerability is present.

Mitigation Strategies

Immediate mitigation steps include sanitizing user input and applying context-aware output encoding on the 'produk' parameter in the /TOKO-ONLINE-ROTI/detail_produk.php component.

This prevents malicious scripts from being executed in the victim's browser by blocking script injection.

Additionally, reviewing and updating the application to properly handle and encode all user-supplied data before rendering it in the response is recommended.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-38940. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart