CVE-2026-7089
Received Received - Intake
Cross-Site Scripting in Home Service System Appointment Booking

Publication date: 2026-04-27

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security vulnerability has been detected in code-projects Home Service System 1.0. The impacted element is an unknown function of the file /booking.php of the component Appointment Booking. The manipulation of the argument fname/lname leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-27
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-7089
EUVD
EUVD-2026-25773
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
code-projects home_service_system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-7089 is a Stored Cross-Site Scripting (XSS) vulnerability found in the Home Service System version 1.0, specifically in the booking.php file within the Appointment Booking component.

The vulnerability arises because the input parameters 'fname' and 'lname' in the booking form are not properly sanitized or encoded before being stored in the database.

An unauthenticated attacker can inject malicious JavaScript code into these fields, which is later rendered without encoding in the admin panel (admin.php) when an administrator views the Manage Booking section.

This causes the malicious script to execute in the administrator's browser, potentially allowing the attacker to steal the administrator's session cookie and hijack their session.

Impact Analysis

This vulnerability can lead to a full administrative account takeover and complete compromise of the application.

  • An attacker can inject malicious scripts that execute in the administrator's browser.
  • The attacker can steal the administrator's PHPSESSID session cookie.
  • With the stolen session, the attacker can hijack the admin session and perform any administrative actions, such as managing bookings and providers.
  • This leads to full application compromise without requiring any authentication.
Detection Guidance

This vulnerability can be detected by testing the booking form fields, specifically the parameters `fname` and `lname` in the booking.php file, for stored cross-site scripting (XSS) payloads.

  • Use a web proxy or intercepting tool (e.g., Burp Suite) to submit a test payload such as `<script>alert(1)</script>` into the First Name or Last Name fields on the booking page.
  • After submitting the payload, check if the script executes when accessing the Manage Booking section in admin.php.
  • You can also use curl commands to submit payloads, for example:
  • curl -X POST -d "fname=<script>alert(1)</script>&lname=test" http://target/booking.php
  • Monitor the admin panel for execution of the injected script or unusual behavior indicating session hijacking attempts.
Mitigation Strategies

Immediate mitigation steps include sanitizing and encoding all user inputs to prevent malicious script injection.

  • Apply the PHP function `htmlspecialchars()` with the `ENT_QUOTES` flag to all inputs from the booking form fields (`fname` and `lname`) before storing or rendering them.
  • Implement a Content Security Policy (CSP) header to restrict the execution of unauthorized scripts.
  • Validate and sanitize all form inputs on the server side to ensure no malicious code is accepted.
  • Avoid rendering user input directly without proper encoding in the admin panel (admin.php).
Compliance Impact

The vulnerability allows unauthenticated attackers to perform stored cross-site scripting (XSS) attacks that can lead to administrative session hijacking and full application compromise.

Such a compromise can result in unauthorized access to sensitive personal data managed by the application, which may violate data protection regulations like GDPR and HIPAA that require safeguarding personal information against unauthorized access and breaches.

Therefore, this vulnerability poses a risk to compliance with these standards by potentially exposing personal data through administrative account takeover and lack of proper input sanitization.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7089. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart