CVE-2026-5825
Cross-Site Scripting in Simple Laundry System /delmemberinfo.php
Publication date: 2026-04-09
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-5825 is a Cross-Site Scripting (XSS) vulnerability found in version 1.0 of the Simple Laundry System, specifically in the /delmemberinfo.php file.
The vulnerability occurs because the application directly outputs the 'userid' parameter from user input into the web page without proper encoding or filtering.
This allows attackers to inject malicious JavaScript code that executes in the victim's browser.
The attack can be initiated remotely and does not require any login or authorization.
How can this vulnerability impact me? :
Exploitation of this vulnerability can have several impacts:
- Attackers can steal cookies, session tokens, or other sensitive information.
- They can perform unauthorized actions on behalf of the victim.
- Attackers may deface web pages or redirect users to malicious sites.
- There is potential for attackers to gain control over the victim's browser.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the 'userid' parameter in the '/delmemberinfo.php' file for Cross-Site Scripting (XSS) by injecting a script payload and observing if it executes.
- Use a web browser or tools like curl or wget to send a request with a script payload in the userid parameter, for example: http://127.0.0.1/Laundry_system/delmemberinfo.php?userid=%3Cscript%3Eprompt(/xss/);%3C/script%3E
- Observe if the injected script executes (e.g., a prompt box appears), indicating the presence of the XSS vulnerability.
- Example curl command to test the vulnerability: curl -i "http://127.0.0.1/Laundry_system/delmemberinfo.php?userid=<script>prompt(/xss/);</script>"
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Implement proper output encoding for user inputs in all contexts (HTML, JavaScript, CSS, URL) to prevent execution of injected scripts.
- Enforce strict input validation and filtering to allow only expected formats and reject or escape malicious content such as script tags.
- Apply a strict Content Security Policy (CSP) to restrict script sources and prevent unauthorized script execution.
- Set HttpOnly and Secure flags on cookies to protect them from being accessed by malicious scripts and ensure secure transmission.
- Conduct regular security audits and code reviews to detect and fix XSS and other vulnerabilities promptly.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The Cross-Site Scripting (XSS) vulnerability in the Simple Laundry System allows attackers to steal sensitive information such as cookies and session tokens, perform unauthorized actions, and potentially gain control over users' browsers. This exposure of sensitive user data and unauthorized access can lead to violations of data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.
Failure to remediate this vulnerability may result in non-compliance with these standards due to inadequate protection of user data, increasing the risk of data breaches and unauthorized data processing.