CVE-2026-10810
Deferred Deferred - Pending Action
Cross-Site Scripting in itsourcecode Fees Management System

Publication date: 2026-06-04

Last updated on: 2026-06-04

Assigner: VulDB

Description
A weakness has been identified in itsourcecode Fees Management System up to 1.0. Affected is an unknown function of the file /navbar.php. This manipulation of the argument page causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-04
Last Modified
2026-06-04
Generated
2026-06-25
AI Q&A
2026-06-04
EPSS Evaluated
2026-06-23
NVD
CVE-2026-10810
EUVD
EUVD-2026-34261
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
itsourcecode fees_management_system to 1.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability is a cross-site scripting (XSS) issue that allows attackers to execute malicious scripts in users' browsers, potentially leading to session hijacking, unauthorized actions, and data theft.

Such impacts could affect compliance with standards and regulations like GDPR and HIPAA, which require protection of personal data and secure handling of user information to prevent unauthorized access or data breaches.

However, the provided information does not explicitly discuss the vulnerability's direct effects on compliance with these standards or any regulatory implications.

Executive Summary

This vulnerability is a Cross-Site Scripting (XSS) issue found in the Fees Management System version 1.0, specifically in the /navbar.php file. It occurs because the 'page' URL parameter is not properly sanitized, allowing attackers to inject malicious JavaScript code that gets executed in the victim's browser.

An attacker can exploit this by crafting a special URL containing malicious scripts and tricking users into visiting it. When the page loads, the injected script runs, potentially causing harmful effects.

Impact Analysis

The impacts of this vulnerability include the possibility of session hijacking, where attackers can steal user session cookies and impersonate users.

It can also lead to unauthorized actions performed on behalf of the user, theft of sensitive data, and distribution of malware through the injected scripts.

Additionally, attackers can redirect users to phishing sites or other malicious destinations.

Detection Guidance

This vulnerability can be detected by testing the /navbar.php page for reflected cross-site scripting (XSS) through the 'page' URL parameter. You can attempt to inject a crafted payload into the 'page' parameter and observe if the JavaScript executes.

  • Use a web browser or tools like curl or wget to send a request with a payload such as: http://[target]/navbar.php?page=%27)</script><script>alert(0)</script>(%27
  • Example curl command: curl -i "http://[target]/navbar.php?page=%27)</script><script>alert(0)</script>(%27"
  • Observe the response for execution of the injected script or reflected script tags in the HTML output.
Mitigation Strategies

Immediate mitigation steps include implementing input validation and output encoding to prevent malicious scripts from executing.

  • Validate and sanitize the 'page' parameter to reject special characters that could be used for script injection.
  • Use allow-list approaches to restrict acceptable input values.
  • Apply output encoding functions such as htmlspecialchars() or htmlentities() to encode special characters before rendering.
  • Set security headers like Content-Security-Policy and X-XSS-Protection to help mitigate XSS attacks.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10810. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart