CVE-2026-7090
Received Received - Intake
Cross-Site Scripting in code-projects Chat System 1.0 Admin Panel

Publication date: 2026-04-27

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was detected in code-projects Chat System 1.0. This affects an unknown function of the file /admin/send_message.php of the component Chat Interface. The manipulation of the argument msg results in cross site scripting. The attack may be launched remotely. The exploit is now public and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-27
Last Modified
2026-04-29
Generated
2026-05-06
AI Q&A
2026-04-27
EPSS Evaluated
2026-05-05
NVD
CVE-2026-7090
EUVD
EUVD-2026-25774
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
code-projects chat_system 1.0
code-projects chat_system_using_php 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-7090 is a Stored Cross-Site Scripting (XSS) vulnerability in the Chat System Using PHP version 1.0 from code-projects.org. It occurs in the chat messaging feature where user input in the 'msg' parameter is not properly sanitized or encoded before being stored in the database and later displayed. This allows an attacker to inject malicious scripts that persistently execute in the browsers of users who load the chatroom.

Specifically, the vulnerability is in the file /admin/send_message.php where the 'msg' POST parameter is directly inserted into the database without validation. When messages are retrieved and displayed by /admin/fetch_chat.php, the malicious scripts execute because output is not escaped.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows attackers to execute persistent cross-site scripting (XSS) attacks that can lead to session hijacking, administrative account takeover, and theft of user data such as session cookies.

Such unauthorized access and data compromise can result in violations of data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.

Therefore, the presence of this vulnerability in the chat system could lead to non-compliance with these standards due to the risk of data exposure, user privacy violations, and potential misuse of administrative privileges.


How can this vulnerability impact me? :

This vulnerability can have severe impacts including persistent execution of malicious scripts for all users and administrators accessing the chatroom. An attacker with a valid user session can:

  • Steal session cookies of users and admins, enabling session hijacking.
  • Perform Cross-Site Request Forgery (CSRF) attacks using stolen admin sessions.
  • Redirect users to phishing or malware websites.
  • Create self-propagating worms that spread malicious payloads automatically.
  • Install persistent browser-based keyloggers to capture keystrokes of chat users.
  • Deface the chat interface permanently.

Overall, this can lead to complete session hijacking, administrative account takeover, and potentially full application compromise.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by testing the /admin/send_message.php endpoint for improper handling of the POST parameter 'msg' that leads to stored cross-site scripting (XSS).

One approach is to send a crafted POST request with a script payload in the 'msg' parameter and then check if the payload is stored and executed when fetching chat messages.

Example command using curl to test the injection point:

  • curl -X POST -d "msg=<script>alert('XSS')</script>" https://targetsite/admin/send_message.php

After sending the payload, access the chatroom page or use a command to fetch chat messages and check if the script executes or appears unescaped.

You can also inspect the database entries in the 'chat' table to see if the malicious script is stored without sanitization.


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include sanitizing and escaping user input and output to prevent stored XSS attacks.

  • Sanitize the 'msg' input in /admin/send_message.php using functions like strip_tags() or htmlspecialchars() before storing it in the database.
  • Escape all output in /admin/fetch_chat.php by applying htmlspecialchars() with ENT_QUOTES and UTF-8 encoding before echoing messages.
  • Implement a strict Content Security Policy (CSP) header, for example: Content-Security-Policy: default-src 'self'; script-src 'self'; object-src 'none';
  • Set HTTPOnly and Secure flags on session cookies to protect against session hijacking.
  • Use prepared statements to fix any concurrent SQL Injection vulnerabilities in send_message.php.
  • Enforce server-side message length limits (e.g., 500 characters) to reduce attack surface.
  • Consider using a templating engine with auto-escaping features to prevent future XSS issues.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart