CVE-2026-6035
Received Received - Intake
Cross-Site Scripting in Vehicle Showroom Management System

Publication date: 2026-04-10

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability has been found in code-projects Vehicle Showroom Management System 1.0. The affected element is an unknown function of the file /BranchManagement/ServiceAndSalesReport.php. The manipulation of the argument BRANCH_ID leads to cross site scripting. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-6035
EUVD
EUVD-2026-21340
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
code-projects vehicle_showroom_management_system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Cross-Site Scripting (XSS) issue found in the Vehicle Showroom Management System 1.0, specifically in the file /BranchManagement/ServiceAndSalesReport.php. It occurs because the BRANCH_ID parameter is not properly encoded or filtered before being output to the web page, allowing attackers to inject malicious scripts.

An attacker can exploit this by injecting arbitrary script code into the BRANCH_ID parameter, which then executes in the victim's browser when they access the vulnerable page.

Impact Analysis

Exploitation of this vulnerability can have severe impacts including theft of cookies, session tokens, or other sensitive data from users.

  • Attackers can perform unauthorized actions on behalf of users.
  • Web pages can be defaced or altered maliciously.
  • Users can be redirected to malicious websites.
  • Attackers may gain control over the victim's browser.

Notably, exploitation does not require the attacker to be logged in or authorized.

Detection Guidance

This vulnerability can be detected by testing the handling of the BRANCH_ID parameter in the /ServiceAndSalesReport.php file for improper input sanitization and output encoding.

A practical detection method is to inject a test payload such as <script>prompt(/xss/);</script> into the BRANCH_ID parameter and observe if the script executes when accessing the vulnerable page.

For example, you can use curl or a browser to send a request like:

  • curl "http://[target]/ServiceAndSalesReport.php?BRANCH_ID=<script>prompt(/xss/);</script>"

If the script executes or the payload is reflected without proper encoding, the vulnerability is present.

Mitigation Strategies
  • Implement proper output encoding of user inputs based on context (HTML, JavaScript, CSS, URL) to prevent execution of injected code.
  • Enforce strict input validation and filtering to accept only expected input formats and sanitize or reject potentially malicious content such as script tags or event handlers.
  • Implement a strict Content Security Policy (CSP) to restrict script sources and block unauthorized inline or external scripts.
  • Set HttpOnly and Secure flags on sensitive cookies to prevent JavaScript access and ensure transmission only over HTTPS.
  • Conduct regular security audits and code reviews to detect and remediate XSS and other vulnerabilities promptly.
Compliance Impact

The vulnerability is a Cross-Site Scripting (XSS) flaw that allows attackers to execute arbitrary scripts in users' browsers, potentially stealing sensitive data such as cookies and session tokens. This can lead to unauthorized access and data breaches.

Such data breaches and unauthorized access incidents can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information. Failure to secure user data against such vulnerabilities may result in violations of these regulations, leading to legal and financial consequences.

Therefore, the presence of this vulnerability undermines the system's ability to maintain confidentiality and integrity of user data, which are core requirements in standards like GDPR and HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6035. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart