{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5209", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-03-31T10:18:21.484Z", "datePublished": "2026-03-31T18:30:12.047Z", "dateUpdated": "2026-03-31T20:30:43.222Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-31T18:30:12.047Z"}, "title": "SourceCodester Leave Application System User Management cross site scripting", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "Cross Site Scripting"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "Code Injection"}]}], "affected": [{"vendor": "SourceCodester", "product": "Leave Application System", "versions": [{"version": "1.0", "status": "affected"}], "modules": ["User Management Handler"]}], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in SourceCodester Leave Application System 1.0. Affected by this issue is some unknown functionality of the component User Management Handler. Such manipulation leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed publicly and may be used."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 2.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 2.4, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 3.3, "vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-03-31T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-03-31T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-03-31T12:23:30.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Hemant Raj Bhati (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/vuln/354345", "name": "VDB-354345 | SourceCodester Leave Application System User Management cross site scripting", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/vuln/354345/cti", "name": "VDB-354345 | CTI Indicators (IOB, IOC, TTP)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/780417", "name": "Submit #780417 | SourceCodester Leave Application System in PHP and SQLite3 1.0 Cross Site Scripting", "tags": ["third-party-advisory"]}, {"url": "https://medium.com/@hemantrajbhati5555/stored-cross-site-scripting-xss-in-php-leave-application-system-3260c881a1fa", "tags": ["broken-link", "exploit"]}, {"url": "https://www.sourcecodester.com/", "tags": ["product"]}], "tags": ["x_freeware"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T20:30:32.902818Z", "id": "CVE-2026-5209", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T20:30:43.222Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5209", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-31T20:30:32.902818Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T20:30:37.798Z"}}], "cna": {"tags": ["x_freeware"], "title": "SourceCodester Leave Application System User Management cross site scripting", "credits": [{"lang": "en", "type": "reporter", "value": "Hemant Raj Bhati (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 2.4, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 2.4, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 3.3, "vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "SourceCodester", "modules": ["User Management Handler"], "product": "Leave Application System", "versions": [{"status": "affected", "version": "1.0"}]}], "timeline": [{"lang": "en", "time": "2026-03-31T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-03-31T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-03-31T12:23:30.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/354345", "name": "VDB-354345 | SourceCodester Leave Application System User Management cross site scripting", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/vuln/354345/cti", "name": "VDB-354345 | CTI Indicators (IOB, IOC, TTP)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/780417", "name": "Submit #780417 | SourceCodester Leave Application System in PHP and SQLite3 1.0 Cross Site Scripting", "tags": ["third-party-advisory"]}, {"url": "https://medium.com/@hemantrajbhati5555/stored-cross-site-scripting-xss-in-php-leave-application-system-3260c881a1fa", "tags": ["broken-link", "exploit"]}, {"url": "https://www.sourcecodester.com/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in SourceCodester Leave Application System 1.0. Affected by this issue is some unknown functionality of the component User Management Handler. Such manipulation leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed publicly and may be used."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Cross Site Scripting"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "Code Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-31T18:30:12.047Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5209", "state": "PUBLISHED", "dateUpdated": "2026-03-31T20:30:43.222Z", "dateReserved": "2026-03-31T10:18:21.484Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-03-31T18:30:12.047Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in SourceCodester Leave Application System 1.0. Affected by this issue is some unknown functionality of the component User Management Handler. Such manipulation leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed publicly and may be used."}], "id": "CVE-2026-5209", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "MULTIPLE", "availabilityImpact": "NONE", "baseScore": 3.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.4, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.4, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 1.9, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-03-31T19:16:29.383", "references": [{"source": "cna@vuldb.com", "url": "https://medium.com/@hemantrajbhati5555/stored-cross-site-scripting-xss-in-php-leave-application-system-3260c881a1fa"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/780417"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/354345"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/354345/cti"}, {"source": "cna@vuldb.com", "url": "https://www.sourcecodester.com/"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-94"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "leave_application_system", "vendor": "sourcecodester"}], "analysis": {"en": {"generated_at": "2026-03-31T20:21:01.138755+00:00", "value": {"mitigation_remediation": ["Confirm the version of SourceCodester Leave Application System you are running.", "If you are on version 1.0 or earlier, monitor vendor communications for a forthcoming patch.", "Implement server\u2011side input validation and output encoding (for example, apply htmlspecialchars to all user\u2011provided data before rendering).", "Configure security headers such as X\u2011Content\u2011Type\u2011Options, X\u2011XSS\u2011Protection, and a strict Content\u2011Security\u2011Policy to reduce the likelihood that injected scripts execute.", "Review application logs for unusual input patterns and audit user\u2011controlled fields for security compliance."], "summary": {"action": "Assess Impact", "impact": "Stored Cross\u2011Site Scripting (remote)"}, "threat_synthesis": {"affected_systems": "SourceCodester Leave Application System version 1.0 is affected. Users running this release or earlier versions are potentially at risk. No newer versions that contain a fix are listed.", "description_and_impact": "The vulnerability appears in the user management portion of SourceCodester Leave Application System 1.0, allowing attackers to inject persistent malicious JavaScript that is executed whenever a user views the compromised data. This flaw, classified as input validation weakness and dynamic code execution, can enable session hijacking, credential theft, defacement or other client\u2011side abuses. The attack vector relies on malicious input being saved and later rendered without proper sanitization.", "risk_and_exploitability": "The base vulnerability score is 4.8, indicating moderate risk. No publicly available probability measure has been published. The flaw is not recorded in the CISA Known Exploited Vulnerabilities catalog. An attacker can exploit the flaw remotely by inserting crafted input into an administrative or user field, which is then stored and displayed to other users. Execution requires that a victim views the affected content, after which the injected script runs in that user\u2019s browser, potentially leading to the compromise of session information or other client\u2011side data."}}}}, "created": "2026-03-31T20:37:28.713246+00:00", "updated": "2026-04-02T07:53:14.652141+00:00", "vendors": ["sourcecodester", "sourcecodester$PRODUCT$leave_application_system"]}