CVE-2026-13567
Received Received - Intake

Cross-Site Scripting in Online Music Site 1.0

Publication date: 2026-06-29

Last updated on: 2026-06-29

Assigner: VulDB

Description
A security flaw has been discovered in code-projects Online Music Site 1.0. This affects an unknown part of the file /Frontend/Feedback.php of the component POST Request Handler. The manipulation of the argument fname/femail/faddress/fmessage results in cross site scripting. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-29
Last Modified
2026-06-29
Generated
2026-06-29
AI Q&A
2026-06-29
EPSS Evaluated
N/A
NVD
CVE-2026-13567
EUVD
EUVD-2026-40082

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows attackers to inject and execute malicious scripts via stored cross-site scripting (XSS) in user feedback fields. This can lead to theft of user cookies and session hijacking, potentially exposing personal data.

Such exposure and unauthorized access to personal data can result in non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding user information against unauthorized access and ensuring data integrity.

Therefore, this vulnerability poses a risk to compliance with these standards by enabling attacks that compromise user data confidentiality and integrity.

Detection Guidance

This vulnerability can be detected by testing the POST request handler of the Feedback.php file for improper input sanitization on the parameters fname, femail, faddress, and fmessage.

You can attempt to inject a simple XSS payload such as `<img src=x onerror=alert(1)>` into these fields via a POST request and observe if the payload is stored and later executed when the feedback is displayed.

A sample command using curl to test the vulnerability might be:

  • curl -X POST -d "fname=<img src=x onerror=alert(1)>&[email protected]&faddress=address&fmessage=message" http://targetsite/Frontend/Feedback.php

If the alert is triggered when viewing the stored feedback, it confirms the presence of the vulnerability.

Mitigation Strategies

Immediate mitigation steps include implementing proper input validation and output encoding on the affected parameters (fname, femail, faddress, fmessage) in the Feedback.php file.

  • Validate and sanitize all user inputs to reject or escape special characters that could be used for script injection.
  • Apply strict filtering to disallow HTML or JavaScript code in the input fields.
  • Encode output properly before rendering user-submitted data on HTML pages to prevent execution of injected scripts.

These measures will reduce the risk of stored cross-site scripting attacks and protect users from malicious script execution.

Executive Summary

This vulnerability is a security flaw in the Online Music Site 1.0, specifically in the POST Request Handler component located in the /Frontend/Feedback.php file. It involves the manipulation of input arguments such as fname, femail, faddress, and fmessage, which leads to a cross-site scripting (XSS) vulnerability. This means an attacker can inject malicious scripts into the website through these input fields.

The attack can be launched remotely, and the exploit code has already been made public, increasing the risk of attacks.

Impact Analysis

This vulnerability can allow attackers to execute malicious scripts in the context of the affected website. This can lead to various impacts such as stealing user session cookies, defacing the website, redirecting users to malicious sites, or performing actions on behalf of users without their consent.

Since the exploit is publicly available and the attack can be performed remotely, the risk of exploitation is significant, especially if users interact with the vulnerable input fields.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13567. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart