{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0730", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-01-08T15:13:11.306Z", "datePublished": "2026-01-08T22:02:09.530Z", "dateUpdated": "2026-02-23T08:24:15.165Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T08:24:15.165Z"}, "title": "PHPGurukul Staff Leave Management System SVG File adminviews.py UPDATE_STAFF cross site scripting", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "Cross Site Scripting"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "Code Injection"}]}], "affected": [{"vendor": "PHPGurukul", "product": "Staff Leave Management System", "versions": [{"version": "1.0", "status": "affected"}], "cpes": ["cpe:2.3:a:phpgurukul:staff_leave_management_system:*:*:*:*:*:*:*:*"], "modules": ["SVG File Handler"]}], "descriptions": [{"lang": "en", "value": "A flaw has been found in PHPGurukul Staff Leave Management System 1.0. The affected element is the function ADD_STAFF/UPDATE_STAFF of the file /staffleave/slms/slms/adminviews.py of the component SVG File Handler. Executing a manipulation of the argument profile_pic can lead to cross site scripting. The attack can be executed remotely. The exploit has been published and may be used."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 2.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 2.4, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 3.3, "vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-01-08T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-01-08T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-01-22T17:19:02.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "hackerfactory (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.340127", "name": "VDB-340127 | PHPGurukul Staff Leave Management System SVG File adminviews.py UPDATE_STAFF cross site scripting", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.340127", "name": "VDB-340127 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.733160", "name": "Submit #733160 | PHPGurukul Staff Leave Management System v1.0 Cross Site Scripting", "tags": ["third-party-advisory"]}, {"url": "https://github.com/rsecroot/Staff-Leave-Management-System/blob/main/Cross%20Site%20Scripting.md", "tags": ["exploit"]}, {"url": "https://phpgurukul.com/", "tags": ["product"]}], "tags": ["x_freeware"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-09T18:14:36.059851Z", "id": "CVE-2026-0730", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-09T18:14:46.466Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0730", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-09T18:14:36.059851Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-09T18:14:42.408Z"}}], "cna": {"tags": ["x_freeware"], "title": "PHPGurukul Staff Leave Management System SVG File adminviews.py UPDATE_STAFF cross site scripting", "credits": [{"lang": "en", "type": "reporter", "value": "hackerfactory (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 2.4, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 2.4, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 3.3, "vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR"}}], "affected": [{"cpes": ["cpe:2.3:a:phpgurukul:staff_leave_management_system:*:*:*:*:*:*:*:*"], "vendor": "PHPGurukul", "modules": ["SVG File Handler"], "product": "Staff Leave Management System", "versions": [{"status": "affected", "version": "1.0"}]}], "timeline": [{"lang": "en", "time": "2026-01-08T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-01-08T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-01-22T17:19:02.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.340127", "name": "VDB-340127 | PHPGurukul Staff Leave Management System SVG File adminviews.py UPDATE_STAFF cross site scripting", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.340127", "name": "VDB-340127 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.733160", "name": "Submit #733160 | PHPGurukul Staff Leave Management System v1.0 Cross Site Scripting", "tags": ["third-party-advisory"]}, {"url": "https://github.com/rsecroot/Staff-Leave-Management-System/blob/main/Cross%20Site%20Scripting.md", "tags": ["exploit"]}, {"url": "https://phpgurukul.com/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A flaw has been found in PHPGurukul Staff Leave Management System 1.0. The affected element is the function ADD_STAFF/UPDATE_STAFF of the file /staffleave/slms/slms/adminviews.py of the component SVG File Handler. Executing a manipulation of the argument profile_pic can lead to cross site scripting. The attack can be executed remotely. The exploit has been published and may be used."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Cross Site Scripting"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "Code Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T08:24:15.165Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0730", "state": "PUBLISHED", "dateUpdated": "2026-02-23T08:24:15.165Z", "dateReserved": "2026-01-08T15:13:11.306Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-01-08T22:02:09.530Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:phpgurukul:staff_leave_management_system:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "4EF8EC9D-B51F-40C6-BD8B-8FC31D9C605E", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in PHPGurukul Staff Leave Management System 1.0. The affected element is the function ADD_STAFF/UPDATE_STAFF of the file /staffleave/slms/slms/adminviews.py of the component SVG File Handler. Executing a manipulation of the argument profile_pic can lead to cross site scripting. The attack can be executed remotely. The exploit has been published and may be used."}, {"lang": "es", "value": "Se ha encontrado una vulnerabilidad en PHPGurukul Staff Leave Management System 1.0. El elemento afectado es la funci\u00f3n ADD_STAFF/UPDATE_STAFF del archivo /staffleave/slms/slms/adminviews.py del componente SVG File Handler. La ejecuci\u00f3n de una manipulaci\u00f3n del argumento profile_pic puede llevar a cross site scripting. El ataque puede ejecutarse de forma remota. El exploit ha sido publicado y puede ser utilizado."}], "id": "CVE-2026-0730", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "MULTIPLE", "availabilityImpact": "NONE", "baseScore": 3.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.4, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.4, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 1.9, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-01-08T22:16:02.753", "references": [{"source": "cna@vuldb.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/rsecroot/Staff-Leave-Management-System/blob/main/Cross%20Site%20Scripting.md"}, {"source": "cna@vuldb.com", "tags": ["Product"], "url": "https://phpgurukul.com/"}, {"source": "cna@vuldb.com", "tags": ["Permissions Required", "VDB Entry"], "url": "https://vuldb.com/?ctiid.340127"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?id.340127"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?submit.733160"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-94"}], "source": "cna@vuldb.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T16:40:07.184346+00:00", "value": {"mitigation_remediation": ["Upgrade the Staff Leave Management System to the latest patched version when it becomes available.", "Restrict profile picture uploads to image types without script support and perform server\u2011side MIME type validation to reject disallowed file formats.", "Sanitize or escape any SVG content before rendering and enforce a strict Content\u2011Security\u2011Policy that blocks inline scripts and eval usage.", "If a patch is not immediately available, disable the ADD_STAFF/UPDATE_STAFF functionality for untrusted users until remediation is deployed."], "summary": {"action": "Patch Immediately", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The vulnerability affects PHPGurukul\u2019s Staff Leave Management System, specifically version 1.0. No other product versions are reported as impacted.", "description_and_impact": "A flaw has been identified in the Staff Leave Management System version 1.0 where the ADD_STAFF and UPDATE_STAFF functions in the adminviews.py module, part of the SVG File Handler component, allow an attacker to manipulate the profile_pic argument. This manipulation injects JavaScript that is executed by the victim\u2019s browser, giving the attacker the ability to perform client\u2011side attacks such as session hijacking, defacement, or executing arbitrary code in the context of the application. The CVSS score of 4.8 indicates a moderate severity potential for client\u2011side compromise.", "risk_and_exploitability": "The EPSS score is below 1%, implying a low but non\u2011zero likelihood of exploitation. The vulnerability can be triggered remotely via crafted input, and an exploit has already been published. It is not listed in the CISA KEV catalog, indicating no confirmed large\u2011scale incidents yet. The moderate CVSS score combined with the remote attack vector places this flaw at a manageable but still noticeable risk, especially in environments with exposed user interfaces or where SVG uploads are allowed."}}}}, "created": "2026-01-09T13:24:12.292280+00:00", "updated": "2026-04-18T16:45:05.226222+00:00", "vendors": ["phpgurukul", "phpgurukul$PRODUCT$staff_leave_management_system"]}