Description
A vulnerability has been found in code-projects Project Management System 1.0. This vulnerability affects unknown code of the file /mail.php of the component Mail Compose Page. Such manipulation leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed to the public and may be used.
Published: 2026-06-28
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in the Mail Compose Page of code‑projects Project Management System 1.0. The flaw arises from undefined handling of user input in /mail.php, permitting the insertion of arbitrary script code. This cross‑site scripting flaw can lead to defacement of mail content, injection of malicious payloads into the client browser, and a potential compromise of user session data. The weakness corresponds to CWE‑79 and CWE‑94. Based on the description, it is inferred that unsanitized input can be used to inject arbitrary scripts.

Affected Systems

Affected systems include deployments of code‑projects Project Management System version 1.0 that expose the /mail.php endpoint. Any environment hosting this component and accessible from the Internet is susceptible to the XSS flaw.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate severity. Because the exploitation requires only remote input and the vulnerability is publicly disclosed, there is a reasonable chance that attackers could abuse it. The EPSS score is not available, so the precise likelihood cannot be quantified, but the absence from the CISA KEV catalog suggests no current proven exploitation. Attackers are expected to trigger the flaw by sending crafted input to the Mail Compose endpoint, leading to script execution in victims' browsers.

Generated by OpenCVE AI on June 28, 2026 at 16:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest version of the code‑projects Project Management System that contains the XSS fix.
  • Implement strict input validation and output encoding for all data displayed in the mail compose page to neutralize script injection.
  • Restrict access to the /mail.php endpoint by enforcing authentication and limiting permissions for untrusted users.

Generated by OpenCVE AI on June 28, 2026 at 16:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 28 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in code-projects Project Management System 1.0. This vulnerability affects unknown code of the file /mail.php of the component Mail Compose Page. Such manipulation leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed to the public and may be used.
Title code-projects Project Management System Mail Compose mail.php cross site scripting
First Time appeared Code-projects
Code-projects project Management System
Weaknesses CWE-79
CWE-94
CPEs cpe:2.3:a:code-projects:project_management_system:*:*:*:*:*:*:*:*
Vendors & Products Code-projects
Code-projects project Management System
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Code-projects Project Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-30T17:59:08.512Z

Reserved: 2026-06-27T18:29:41.908Z

Link: CVE-2026-13504

cve-icon Vulnrichment

Updated: 2026-06-30T17:59:04.471Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T19:45:04Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  • CWE-94

    Improper Control of Generation of Code ('Code Injection')