CVE-2026-13499
Received Received - Intake

Cross-Site Scripting in yashpokharna2555 Restaurant Management System

Publication date: 2026-06-28

Last updated on: 2026-06-28

Assigner: VulDB

Description
A security flaw has been discovered in yashpokharna2555 restaurent-management-system. This impacts an unknown function of the file login_register.php of the component Registration Handler. Performing a manipulation of the argument Username results in cross site scripting. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-28
Last Modified
2026-06-28
Generated
2026-06-28
AI Q&A
2026-06-28
EPSS Evaluated
N/A
NVD
CVE-2026-13499
EUVD
EUVD-2026-39997

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
yashpokharna2555 restaurent_management_system *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by testing the registration and login functionality for stored Cross-Site Scripting (XSS) attacks. Specifically, you can attempt to register a username containing a script tag such as `<script>alert(1)</script>`. If the script executes upon login or when the username is displayed, the system is vulnerable.

To detect this on your system, you can use web application testing tools or manual commands to submit malicious input and observe the output.

  • Use curl or similar tools to register a username with a script tag: curl -X POST -d "username=<script>alert(1)</script>&password=pass" http://yourserver/login_register.php
  • After registration, log in and inspect the HTML source of the page (e.g., index.php) to see if the username is rendered without encoding.
  • Use browser developer tools to check if the script executes when the username is displayed.
Impact Analysis

This vulnerability allows attackers to execute arbitrary JavaScript code in the browsers of users who view the affected pages. Potential impacts include stealing session cookies, redirecting users to malicious websites, or performing unauthorized actions on behalf of the user.

Because the attack can be initiated remotely and the exploit is publicly available, it increases the risk of widespread exploitation.

Mitigation Strategies

Immediate mitigation steps include sanitizing and encoding user input and output to prevent script injection.

  • Apply `htmlspecialchars()` or equivalent encoding functions to the username before rendering it in HTML, especially when echoing `$_SESSION['username']` in index.php.
  • Implement input validation to reject usernames containing HTML tags or script elements during registration.
  • Review and update the registration handler (login_register.php) to ensure no unsanitized user input is stored or output.
  • Monitor the project repository for official patches or updates addressing this vulnerability.
Compliance Impact

The vulnerability is a stored Cross-Site Scripting (XSS) issue that allows attackers to execute arbitrary JavaScript by injecting malicious scripts into usernames that are stored and later rendered without proper encoding.

Such XSS vulnerabilities can lead to unauthorized access to user session data, including cookies, which may result in data breaches or unauthorized actions on behalf of users.

From a compliance perspective, this could impact adherence to standards like GDPR or HIPAA, which require protection of personal data and secure handling of user information to prevent unauthorized access or disclosure.

Failure to mitigate this vulnerability could lead to violations of these regulations due to potential compromise of user data confidentiality and integrity.

Executive Summary

CVE-2026-13499 is a stored Cross-Site Scripting (XSS) vulnerability in the yashpokharna2555 restaurant management system. It occurs because usernames entered by users are stored in the database without sanitization and later displayed in the application's HTML without proper encoding. A malicious user can register a username containing harmful script tags, which gets stored and then executed in other users' browsers when the username is displayed. This happens because the username is directly echoed into the HTML without using encoding functions like htmlspecialchars().

The vulnerability arises from missing input validation during user registration and the lack of output encoding when rendering the username on pages such as index.php.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13499. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart