CVE-2026-0642 - Vulnerability Details

- projectworlds House Rental and Property Listing complaint.php cross site scripting

Description

A vulnerability was detected in projectworlds House Rental and Property Listing 1.0. This issue affects some unknown processing of the file /app/complaint.php. The manipulation of the argument Name results in cross site scripting. The attack may be launched remotely. The exploit is now public and may be used.

Published: 2026-01-06

Score: 4.8 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An input field named Name in the complaint.php script of projectworlds House Rental and Property Listing 1.0 can be manipulated to inject malicious script. The injected code is reflected in the browser, enabling an attacker to execute arbitrary JavaScript in the context of any user who visits the affected page. This compromise could lead to session hijacking, credential theft, or defacement of the application.

Affected Systems

The vulnerability affects the projectworlds House Rental and Property Listing application version 1.0. No additional vendor or product details were provided beyond the CNA designation.

Risk and Exploitability

The CVSS score of 4.8 places this issue in the moderate risk category. The EPSS score is reported as less than 1 %, indicating a very low likelihood of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. However, the exploit is publicly available, and attackers could launch it remotely by crafting a malicious request to complaint.php. Since no official patch is disclosed, the primary risk remains until the vendor releases a fix or the attacker successfully abuses the flaw.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

projectworlds

House Rental and Property Listing

affected

Version	Status	Constraints
`1.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:projectworlds:house_rental_and_property_listing_project:1.0:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Projectworlds	House Rental And Property Listing Project	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Check the vendor’s website or product documentation for an updated release that addresses cross‑site scripting in complaint.php and apply the patch as soon as it becomes available.
In the interim, implement server‑side validation and output encoding for the Name parameter, ensuring that any user‑supplied content is safely escaped before rendering.
Configure the web application to enforce a strict Content Security Policy that restricts executable scripts to trusted origins, thereby limiting the impact of any injected code.
Add HTTP Strict Transport Security headers to require HTTPS for all client connections, reducing the risk of man‑in‑the‑middle interception of malicious content.

Generated by OpenCVE AI on April 18, 2026 at 08:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00044.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/Pick-program/CVE/issues/4
https://vuldb.com/?ctiid.339685
https://vuldb.com/?id.339685
https://vuldb.com/?submit.732369
https://vuldb.com/?submit.736161

History

Mon, 23 Feb 2026 08:30:00 +0000

Type	Values Removed	Values Added
References		https://vuldb.com/?submit.736161

Fri, 16 Jan 2026 21:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:projectworlds:house_rental_and_property_listing_project:1.0:::::::*

Wed, 07 Jan 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 07 Jan 2026 10:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Projectworlds Projectworlds house Rental And Property Listing Project
Vendors & Products		Projectworlds Projectworlds house Rental And Property Listing Project

Tue, 06 Jan 2026 22:45:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was detected in projectworlds House Rental and Property Listing 1.0. This issue affects some unknown processing of the file /app/complaint.php. The manipulation of the argument Name results in cross site scripting. The attack may be launched remotely. The exploit is now public and may be used.
Title		projectworlds House Rental and Property Listing complaint.php cross site scripting
Weaknesses		CWE-79 CWE-94
References		https://github.com/Pick-program/CVE/issues/4 https://vuldb.com/?ctiid.339685 https://vuldb.com/?id.339685 https://vuldb.com/?submit.732369
Metrics		cvssV2_0 `{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Projectworlds House Rental And Property Listing Project

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-01-06T22:32:07.291Z

Updated: 2026-02-23T08:21:32.410Z

Reserved: 2026-01-06T13:55:35.693Z

Link: CVE-2026-0642

Vulnrichment

Updated: 2026-01-07T16:20:37.688Z

NVD

Status : Modified

Published: 2026-01-07T12:17:07.193

Modified: 2026-02-23T09:16:36.050

Link: CVE-2026-0642

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T08:15:15Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object