CVE-2026-6162
Cross-Site Scripting in PHPGurukul Visitor System Remote Exploit
Publication date: 2026-04-13
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| phpgurukul | visitor_management_system | 2.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The PHPGurukul Company Visitors Management System version 2.0 has a reflected Cross-Site Scripting (XSS) vulnerability in the /bwdates-reports-details.php file.
This vulnerability occurs because the 'fromdate' parameter is not properly sanitized or validated, allowing an attacker to inject malicious JavaScript code.
When a victim visits a specially crafted URL containing this malicious code, the script is executed in their browser, potentially compromising their security.
- Example payload: `<script>alert(document.cookie)</script>` which can display the user's cookies.
How can this vulnerability impact me? :
This vulnerability can lead to arbitrary script execution in the victim's browser.
An attacker could steal sensitive information such as cookies, session tokens, or other data accessible via JavaScript.
It may also allow attackers to perform actions on behalf of the user or manipulate the website's content, leading to compromised user security and privacy.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the "fromdate" parameter in the /bwdates-reports-details.php file for reflected Cross-Site Scripting (XSS). You can attempt to inject a simple JavaScript payload such as `<script>alert(document.cookie)</script>` into the "fromdate" parameter and observe if the script executes in the browser.
A practical way to test this is by crafting a URL like: `/bwdates-reports-details.php?fromdate=<script>alert(document.cookie)</script>` and visiting it in a browser to see if an alert box appears.
Alternatively, you can use command-line tools such as curl to send the request and inspect the response for the injected script:
- curl -G 'http://target-site/bwdates-reports-details.php' --data-urlencode 'fromdate=<script>alert(document.cookie)</script>'
If the response contains the injected script without proper encoding or sanitization, it indicates the presence of the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing proper input validation and sanitization on the "fromdate" parameter in the /bwdates-reports-details.php file to prevent injection of malicious scripts.
Specifically, ensure that any user-supplied input is properly escaped or filtered before being reflected in the web page output.
Additionally, consider applying web application firewall (WAF) rules to detect and block common XSS payloads targeting this parameter.
If available, update the PHPGurukul Company Visitor Management System to a version where this vulnerability is fixed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability is a reflected Cross-Site Scripting (XSS) issue that allows attackers to execute arbitrary scripts in the context of the victim's browser. This can lead to the compromise of user security and privacy, such as theft of cookies or session tokens.
Such a vulnerability can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of user data and privacy. Exploitation of this vulnerability could lead to unauthorized access to personal data, thereby violating these regulations' requirements for data security and privacy.