Description
A vulnerability has been found in iJason-Liu Books_Manager up to 298ba736387ca37810466349af13a0fdf828e99c. This affects an unknown part of the file controllers/books_center/add_book_check.php. Such manipulation of the argument mark leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable.
Published: 2026-01-26
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Cross‑Site Scripting that can cause arbitrary JavaScript to run in the victim’s browser
Action: Apply Mitigation
AI Analysis

Impact

A flaw in the Books_Manager application’s add_book_check.php controller allows an attacker to supply a crafted "mark" value that is rendered without proper sanitization, resulting in injected JavaScript that executes in the victim’s browser. This is a client‑side injection (CWE‑79) that can be leveraged to steal session cookies, deface content, or deliver secondary malware, but it does not provide direct access to the server.

Affected Systems

The vulnerability affects any deployment of iJason‑Liu Books_Manager that contains the code matching or preceding the commit hash 298ba736387ca37810466349af13a0fdf828e99c. Because the product does not use a conventional versioning scheme, it is unclear whether subsequent revisions have addressed the flaw, so administrators should assume the vulnerability persists until confirmed otherwise.

Risk and Exploitability

The CVSS score of 4.8 indicates low severity, yet the flaw can be exploited remotely without authentication and is publicly disclosed. The EPSS score of less than 1% suggests a low probability of exploitation, and the vulnerability is not listed in CISA’s KEV catalog, implying no large‑scale attacks yet. Nevertheless, remote attackers could target any unauthenticated user visiting the vulnerable page to execute malicious scripts, and the lack of an official vendor patch requires manual mitigations.

Generated by OpenCVE AI on April 18, 2026 at 20:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Sanitize the incoming "mark" parameter and encode any output that includes this value (e.g., using htmlspecialchars) to mitigate CWE‑79 XSS.
  • Implement a strict Content Security Policy that disallows inline scripts and restricts script sources to trusted domains, limiting the impact of any residual XSS attempts.
  • Deploy web application firewall rules that detect and block common XSS payload patterns, preventing malicious input from reaching the application logic.
  • Validate that the "mark" value does not contain language‑specific injection constructs and escape any code that could be interpreted as a server‑side expression language to address CWE‑94.

Generated by OpenCVE AI on April 18, 2026 at 20:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 27 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 27 Jan 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Ijason-liu
Ijason-liu books Manager
Vendors & Products Ijason-liu
Ijason-liu books Manager

Mon, 26 Jan 2026 21:45:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in iJason-Liu Books_Manager up to 298ba736387ca37810466349af13a0fdf828e99c. This affects an unknown part of the file controllers/books_center/add_book_check.php. Such manipulation of the argument mark leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable.
Title iJason-Liu Books_Manager add_book_check.php cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Ijason-liu Books Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T08:58:35.112Z

Reserved: 2026-01-26T14:53:34.103Z

Link: CVE-2026-1444

cve-icon Vulnrichment

Updated: 2026-01-27T21:41:29.518Z

cve-icon NVD

Status : Deferred

Published: 2026-01-26T22:15:54.377

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1444

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T20:15:09Z

Weaknesses