{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-7089", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-26T08:22:46.277Z", "datePublished": "2026-04-27T05:00:17.511Z", "dateUpdated": "2026-04-27T13:29:50.045Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-27T05:00:17.511Z"}, "title": "code-projects Home Service System Appointment Booking booking.php cross site scripting", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "Cross Site Scripting"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "Code Injection"}]}], "affected": [{"vendor": "code-projects", "product": "Home Service System", "versions": [{"version": "1.0", "status": "affected"}], "modules": ["Appointment Booking"]}], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in code-projects Home Service System 1.0. The impacted element is an unknown function of the file /booking.php of the component Appointment Booking. The manipulation of the argument fname/lname leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 4.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-26T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-26T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-26T10:27:55.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "imad alvi (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/vuln/359664", "name": "VDB-359664 | code-projects Home Service System Appointment Booking booking.php cross site scripting", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/359664/cti", "name": "VDB-359664 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/800121", "name": "Submit #800121 | code-projects Home Service System In PHP 1.0 Cross Site Scripting", "tags": ["third-party-advisory"]}, {"url": "https://github.com/Xmyronn/home-service-system-unauth-stored-xss-admin-takeover-code-project.org-.git", "tags": ["exploit"]}, {"url": "https://code-projects.org/", "tags": ["product"]}], "tags": ["x_freeware"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-27T13:13:05.365778Z", "id": "CVE-2026-7089", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T13:29:50.045Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-7089", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-27T13:13:05.365778Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T13:13:06.399Z"}}], "cna": {"tags": ["x_freeware"], "title": "code-projects Home Service System Appointment Booking booking.php cross site scripting", "credits": [{"lang": "en", "type": "reporter", "value": "imad alvi (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "code-projects", "modules": ["Appointment Booking"], "product": "Home Service System", "versions": [{"status": "affected", "version": "1.0"}]}], "timeline": [{"lang": "en", "time": "2026-04-26T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-26T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-26T10:27:55.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/359664", "name": "VDB-359664 | code-projects Home Service System Appointment Booking booking.php cross site scripting", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/359664/cti", "name": "VDB-359664 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/800121", "name": "Submit #800121 | code-projects Home Service System In PHP 1.0 Cross Site Scripting", "tags": ["third-party-advisory"]}, {"url": "https://github.com/Xmyronn/home-service-system-unauth-stored-xss-admin-takeover-code-project.org-.git", "tags": ["exploit"]}, {"url": "https://code-projects.org/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in code-projects Home Service System 1.0. The impacted element is an unknown function of the file /booking.php of the component Appointment Booking. The manipulation of the argument fname/lname leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Cross Site Scripting"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "Code Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-27T05:00:17.511Z"}}}, "cveMetadata": {"cveId": "CVE-2026-7089", "state": "PUBLISHED", "dateUpdated": "2026-04-27T13:29:50.045Z", "dateReserved": "2026-04-26T08:22:46.277Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-27T05:00:17.511Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in code-projects Home Service System 1.0. The impacted element is an unknown function of the file /booking.php of the component Appointment Booking. The manipulation of the argument fname/lname leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used."}], "id": "CVE-2026-7089", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.1, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-27T06:16:04.070", "references": [{"source": "cna@vuldb.com", "url": "https://code-projects.org/"}, {"source": "cna@vuldb.com", "url": "https://github.com/Xmyronn/home-service-system-unauth-stored-xss-admin-takeover-code-project.org-.git"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/800121"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/359664"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/359664/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-94"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "1.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "home_service_system", "vendor": "code-projects"}], "analysis": {"en": {"generated_at": "2026-04-28T13:11:51.357437+00:00", "value": {"mitigation_remediation": ["Apply the vendor\u2011issued patch or update the Home Service System to a version that contains the XSS fix.", "Sanitize the fname and lname inputs and apply appropriate output encoding before rendering them, addressing the input\u2011validation weakness highlighted by CWE\u201179.", "Implement a Content Security Policy that blocks inline scripts and restricts script loading to trusted sources to reduce the impact of any remaining XSS attempts."], "summary": {"action": "Patch", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The affected product is code\u2011projects Home Service System version\u202f1.0, specifically the booking.php module within the Appointment Booking component. Users running this release are vulnerable when interacting with the fname and lname input fields.", "description_and_impact": "An input validation flaw in the booking.php file of the Appointment Booking component allows the fname and lname parameters to be manipulated, resulting in cross\u2011site scripting. The vulnerability can be triggered by a remote attacker submitting malicious data; once injected, scripts execute in the victim\u2019s browser, potentially compromising sessions or enabling further malicious activity.", "risk_and_exploitability": "The CVSS score of 5.3 categorizes the flaw as moderate in severity, while the EPSS score of less than 1% indicates a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. An attacker can initiate the attack remotely via crafted fname/lname submissions, potentially leading to arbitrary script execution within the context of the application."}}}}, "created": "2026-04-27T20:20:14.360444+00:00", "updated": "2026-04-28T13:15:31.884555+00:00", "vendors": ["code-projects", "code-projects$PRODUCT$home_service_system"]}