{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4877", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-03-26T06:10:55.785Z", "datePublished": "2026-03-26T13:05:39.008Z", "dateUpdated": "2026-03-26T18:25:16.231Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-26T13:05:39.008Z"}, "title": "itsourcecode Payroll Management System index.php cross site scripting", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "Cross Site Scripting"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "Code Injection"}]}], "affected": [{"vendor": "itsourcecode", "product": "Payroll Management System", "versions": [{"version": "1.0", "status": "affected"}], "cpes": ["cpe:2.3:a:itsourcecode:payroll_management_system:*:*:*:*:*:*:*:*"]}], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in itsourcecode Payroll Management System up to 1.0. This affects an unknown function of the file /index.php. Performing a manipulation of the argument page results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 4.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-03-26T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-03-26T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-03-26T07:16:02.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "zhangbaichuan.01 (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.353560", "name": "VDB-353560 | itsourcecode Payroll Management System index.php cross site scripting", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.353560", "name": "VDB-353560 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.776249", "name": "Submit #776249 | itsourcecode Payroll Management System V1.0 Cross Site Scripting", "tags": ["third-party-advisory"]}, {"url": "https://github.com/ltranquility/submit/issues/4", "tags": ["exploit", "issue-tracking"]}, {"url": "https://itsourcecode.com/", "tags": ["product"]}], "tags": ["x_freeware"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T18:17:31.391372Z", "id": "CVE-2026-4877", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T18:25:16.231Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4877", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T18:17:31.391372Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T18:17:49.752Z"}}], "cna": {"tags": ["x_freeware"], "title": "itsourcecode Payroll Management System index.php cross site scripting", "credits": [{"lang": "en", "type": "reporter", "value": "zhangbaichuan.01 (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR"}}], "affected": [{"cpes": ["cpe:2.3:a:itsourcecode:payroll_management_system:*:*:*:*:*:*:*:*"], "vendor": "itsourcecode", "product": "Payroll Management System", "versions": [{"status": "affected", "version": "1.0"}]}], "timeline": [{"lang": "en", "time": "2026-03-26T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-03-26T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-03-26T07:16:02.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.353560", "name": "VDB-353560 | itsourcecode Payroll Management System index.php cross site scripting", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.353560", "name": "VDB-353560 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.776249", "name": "Submit #776249 | itsourcecode Payroll Management System V1.0 Cross Site Scripting", "tags": ["third-party-advisory"]}, {"url": "https://github.com/ltranquility/submit/issues/4", "tags": ["exploit", "issue-tracking"]}, {"url": "https://itsourcecode.com/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in itsourcecode Payroll Management System up to 1.0. This affects an unknown function of the file /index.php. Performing a manipulation of the argument page results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Cross Site Scripting"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "Code Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-26T13:05:39.008Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4877", "state": "PUBLISHED", "dateUpdated": "2026-03-26T18:25:16.231Z", "dateReserved": "2026-03-26T06:10:55.785Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-03-26T13:05:39.008Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in itsourcecode Payroll Management System up to 1.0. This affects an unknown function of the file /index.php. Performing a manipulation of the argument page results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks."}, {"lang": "es", "value": "Se ha descubierto una falla de seguridad en el Sistema de Gesti\u00f3n de N\u00f3minas itsourcecode hasta la versi\u00f3n 1.0. Esto afecta a una funci\u00f3n desconocida del archivo /index.PHP. Realizar una manipulaci\u00f3n del argumento page resulta en cross-site scripting. Es posible iniciar el ataque de forma remota. El exploit ha sido publicado al p\u00fablico y puede ser utilizado para ataques."}], "id": "CVE-2026-4877", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.1, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-03-26T14:16:14.490", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/ltranquility/submit/issues/4"}, {"source": "cna@vuldb.com", "url": "https://itsourcecode.com/"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.353560"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.353560"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.776249"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-94"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "1.0"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Payroll Management System", "source": "cna", "vendor": "itsourcecode"}, "product": "payroll_management_system", "vendor": "itsourcecode"}], "analysis": {"en": {"generated_at": "2026-03-26T15:08:42.437484+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest release of itsourcecode Payroll Management System that resolves the XSS vulnerability.", "If an update is unavailable, restrict or sanitize input on the \u2018page\u2019 parameter to allow only safe values and reject script payloads.", "Deploy or configure a web application firewall to block known XSS attack patterns targeting the index page."], "summary": {"action": "Patch", "impact": "Cross\u2011Site Scripting (remote, user\u2011level, publicly exploitable)"}, "threat_synthesis": {"affected_systems": "The flaw affects itsourcecode\u2019s Payroll Management System up to version 1.0. The vulnerable functionality resides in the /index.php file and is triggered by the page parameter. Users running any release at or below v1.0 risk exposure if the page argument is not properly sanitized.", "description_and_impact": "A cross\u2011site scripting flaw was identified in the Payroll Management System\u2019s index page, where manipulating the \u201cpage\u201d argument allows arbitrary JavaScript injection into the browser. The vulnerability is anchored in a missing or improper output encoding and falls under the CWE\u201179 security weakness. An attacker can exploit this flaw remotely by crafting a URL that delivers malicious scripts to a victim\u2019s session. This can lead to credential theft, session hijacking, defacement, or the execution of additional attack payloads within the victim\u2019s browser context.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate impact, primarily affecting confidentiality and integrity at the user level. No EPSS score is provided and the vulnerability is not listed in the KEV catalog; however, the public release of the exploit means that the attack path is well known. The vulnerability can be invoked purely through a crafted HTTP request, with no authentication or privilege escalation required. As such, any exposed instance of the affected system poses a tangible risk to users who interact with the index page."}}}}, "created": "2026-03-27T08:34:34.214520+00:00", "updated": "2026-03-27T09:28:22.707896+00:00", "vendors": ["itsourcecode", "itsourcecode$PRODUCT$payroll_management_system"]}