Description
A security flaw has been discovered in code-projects Online Music Site 1.0. This affects an unknown part of the file /Frontend/Feedback.php of the component POST Request Handler. The manipulation of the argument fname/femail/faddress/fmessage results in cross site scripting. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks.
Published: 2026-06-29
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A cross‑site scripting flaw has been identified in the Feedback.php POST request handler of the Online Music Site. By inserting malicious script content into the fname, femail, faddress or fmessage fields, an attacker can make a victim’s browser execute arbitrary JavaScript when viewing the feedback page. The flaw does not expose system credentials but can compromise the confidentiality and integrity of the web application by stealing session data, defacing content or redirecting users to malicious sites.

Affected Systems

The vulnerability affects code-projects Online Music Site version 1.0, specifically the Frontend/Feedback.php component that processes POST requests.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. Although the EPSS score is not available, the public release of the exploit and the fact that the attack can be launched remotely suggest that exploitation is plausible. The vulnerability is not listed in CISA’s KEV catalog, but because it is publicly known and can harm users, patching should be treated as a high‑priority action. The attack vector is remote and requires only a crafted HTTP POST request to the feedback endpoint, making it potentially reachable from any network that can reach the site.

Generated by OpenCVE AI on June 29, 2026 at 14:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor-provided patch or upgrade to a newer version that fixes the XSS issue.
  • Sanitize all user‑supplied input for fname, femail, faddress and fmessage on the server side and escape the output before rendering it in HTML.
  • Implement a Content Security Policy that restricts script execution on the feedback page and consider disabling the feedback form until a fix is available.

Generated by OpenCVE AI on June 29, 2026 at 14:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 29 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in code-projects Online Music Site 1.0. This affects an unknown part of the file /Frontend/Feedback.php of the component POST Request Handler. The manipulation of the argument fname/femail/faddress/fmessage results in cross site scripting. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks.
Title code-projects Online Music Site POST Request Feedback.php cross site scripting
First Time appeared Code-projects
Code-projects online Music Site
Weaknesses CWE-79
CWE-94
CPEs cpe:2.3:a:code-projects:online_music_site:*:*:*:*:*:*:*:*
Vendors & Products Code-projects
Code-projects online Music Site
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Code-projects Online Music Site
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-29T14:02:17.011Z

Reserved: 2026-06-28T18:19:14.734Z

Link: CVE-2026-13567

cve-icon Vulnrichment

Updated: 2026-06-29T14:01:59.511Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T18:00:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  • CWE-94

    Improper Control of Generation of Code ('Code Injection')