{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5542", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-04T06:47:04.126Z", "datePublished": "2026-04-05T04:15:11.743Z", "dateUpdated": "2026-04-06T17:59:33.893Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-05T04:15:11.743Z"}, "title": "code-projects Simple Laundry System Parameter modstaffinfo.php cross site scripting", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "Cross Site Scripting"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "Code Injection"}]}], "affected": [{"vendor": "code-projects", "product": "Simple Laundry System", "versions": [{"version": "1.0", "status": "affected"}], "cpes": ["cpe:2.3:a:code-projects:simple_laundry_system:*:*:*:*:*:*:*:*"], "modules": ["Parameter Handler"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in code-projects Simple Laundry System 1.0. Impacted is an unknown function of the file /modstaffinfo.php of the component Parameter Handler. Executing a manipulation of the argument userid can lead to cross site scripting. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 4.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-04T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-04T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-04T08:52:20.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Weining Xiao (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/vuln/355295", "name": "VDB-355295 | code-projects Simple Laundry System Parameter modstaffinfo.php cross site scripting", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/355295/cti", "name": "VDB-355295 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/782224", "name": "Submit #782224 | code-projects Simple Laundry System V1.0 cross site scripting", "tags": ["third-party-advisory"]}, {"url": "https://github.com/boyslikesports/vul-web/issues/2", "tags": ["exploit", "issue-tracking"]}, {"url": "https://code-projects.org/", "tags": ["product"]}], "tags": ["x_freeware"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T17:59:23.630931Z", "id": "CVE-2026-5542", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T17:59:33.893Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"tags": ["x_freeware"], "title": "code-projects Simple Laundry System Parameter modstaffinfo.php cross site scripting", "credits": [{"lang": "en", "type": "reporter", "value": "Weining Xiao (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR"}}], "affected": [{"cpes": ["cpe:2.3:a:code-projects:simple_laundry_system:*:*:*:*:*:*:*:*"], "vendor": "code-projects", "modules": ["Parameter Handler"], "product": "Simple Laundry System", "versions": [{"status": "affected", "version": "1.0"}]}], "timeline": [{"lang": "en", "time": "2026-04-04T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-04T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-04T08:52:20.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/355295", "name": "VDB-355295 | code-projects Simple Laundry System Parameter modstaffinfo.php cross site scripting", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/355295/cti", "name": "VDB-355295 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/782224", "name": "Submit #782224 | code-projects Simple Laundry System V1.0 cross site scripting", "tags": ["third-party-advisory"]}, {"url": "https://github.com/boyslikesports/vul-web/issues/2", "tags": ["exploit", "issue-tracking"]}, {"url": "https://code-projects.org/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in code-projects Simple Laundry System 1.0. Impacted is an unknown function of the file /modstaffinfo.php of the component Parameter Handler. Executing a manipulation of the argument userid can lead to cross site scripting. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Cross Site Scripting"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "Code Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-05T04:15:11.743Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5542", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-06T17:59:23.630931Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-04-06T17:59:29.753Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-5542", "state": "PUBLISHED", "dateUpdated": "2026-04-05T04:15:11.743Z", "dateReserved": "2026-04-04T06:47:04.126Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-05T04:15:11.743Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in code-projects Simple Laundry System 1.0. Impacted is an unknown function of the file /modstaffinfo.php of the component Parameter Handler. Executing a manipulation of the argument userid can lead to cross site scripting. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized."}], "id": "CVE-2026-5542", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.1, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-05T05:16:04.537", "references": [{"source": "cna@vuldb.com", "url": "https://code-projects.org/"}, {"source": "cna@vuldb.com", "url": "https://github.com/boyslikesports/vul-web/issues/2"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/782224"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/355295"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/355295/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-94"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "1.0"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Simple Laundry System", "source": "cna", "vendor": "code-projects"}, "product": "simple_laundry_system", "vendor": "code-projects"}], "analysis": {"en": {"generated_at": "2026-04-05T06:20:54.382510+00:00", "value": {"mitigation_remediation": ["Check the vendor\u2019s website or repository for a newer version of Simple Laundry System that addresses the XSS issue.", "If no update exists, restrict direct access to /modstaffinfo.php to authenticated staff only, and enforce least\u2011privilege access control.", "Validate and sanitize the userid parameter on both client and server sides, ensuring it contains only expected numeric or alphanumeric characters.", "Apply output\u2011encoding or use a templating engine that automatically escapes user\u2011controlled data before rendering.", "Deploy a Web Application Firewall rule set that detects and blocks reflected XSS payloads, and monitor logs for suspicious requests."], "summary": {"action": "Apply Mitigation", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Affected systems are installations of the code\u2011projects Simple Laundry System, version 1.0 as referenced in the description. The exploit targets the modstaffinfo.php module; no other versions or products are explicitly mentioned, so the scope appears limited to this component in that version.", "description_and_impact": "The vulnerability exists in the file /modstaffinfo.php of the Simple Laundry System, where an attacker can manipulate the userid argument to inject arbitrary script content. This reflects the classic CWE\u201179 cross\u2011site scripting weakness and, because the attacker controls input to the Parameter Handler, it could potentially execute server\u2011side code as indicated by the presence of CWE\u201194. The primary impact is that a remote user could inject malicious JavaScript that would run in the browser of any viewing user, enabling session hijacking, credential theft, or defacement of pages.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate risk. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog, reducing immediate urgency. However, the attack vector is remote and publicly disclosed, meaning that with no patch available an attacker could feasibly exploit it on any exposed instance. The lack of a fix and the ability to run arbitrary client\u2011side code make the threat significant for authenticated and unauthenticated users if the application does not enforce proper access controls."}}}}, "created": "2026-04-06T20:26:36.491579+00:00", "updated": "2026-04-06T21:57:11.161306+00:00", "vendors": ["code-projects", "code-projects$PRODUCT$simple_laundry_system"]}