CVE-2026-1700 - Vulnerability Details

- projectworlds House Rental and Property Listing sms.php cross site scripting

Description

A weakness has been identified in projectworlds House Rental and Property Listing 1.0. This vulnerability affects unknown code of the file /app/sms.php. This manipulation of the argument Message causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks.

Published: 2026-01-30

Score: 5.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the /app/sms.php file of Projectworlds House Rental and Property Listing 1.0, where the Message argument is not properly sanitized. Injection of malicious script into that argument triggers client‑side code execution in a victim’s browser. Attacks can proceed remotely via HTTP requests, potentially allowing an adversary to steal session cookies, deface pages, or execute arbitrary payloads in the context of an authenticated user.

Affected Systems

The only documented affected product is Projectworlds House Rental and Property Listing 1.0, supplied by the vendor Projectworlds. No other versions or products are listed in the CNA data.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate severity. The EPSS score is reported as less than 1%, meaning the known exploitation probability is very low, and the vulnerability is not listed in the CISA KEV catalog. Because the flaw is exploitable remotely, an attacker only needs to send a crafted HTTP request to the vulnerable endpoint; no local privileges are required. The lack of a public exploit URL in the provided data suggests that, while the capability exists, current exploitation activity in the wild is minimal.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

projectworlds

House Rental and Property Listing

affected

Version	Status	Constraints
`1.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:projectworlds:house_rental_and_property_listing_project:1.0:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Projectworlds	House Rental And Property Listing Project	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Projectworlds House Rental and Property Listing to the version that includes the fixed code for /app/sms.php.
If an official patch is not yet available, restrict or remove direct access to the /app/sms.php endpoint or use web‑application firewall rules to block requests containing script tags or callback syntax.
Sanitize and validate the Message parameter on the server side, ensuring that any output is properly escaped and that disallowed characters or functions (e.g. eval) are rejected.
Configure a Content Security Policy on the application to block inline scripts and restrict script execution to trusted sources.

Generated by OpenCVE AI on April 18, 2026 at 01:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/jiahao412/CVE/issues/3
https://vuldb.com/?ctiid.343490
https://vuldb.com/?id.343490
https://vuldb.com/?submit.741977

History

Fri, 13 Feb 2026 18:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:projectworlds:house_rental_and_property_listing_project:1.0:::::::*

Tue, 03 Feb 2026 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Projectworlds Projectworlds house Rental And Property Listing Project
Vendors & Products		Projectworlds Projectworlds house Rental And Property Listing Project

Fri, 30 Jan 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 30 Jan 2026 17:15:00 +0000

Type	Values Removed	Values Added
Description		A weakness has been identified in projectworlds House Rental and Property Listing 1.0. This vulnerability affects unknown code of the file /app/sms.php. This manipulation of the argument Message causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks.
Title		projectworlds House Rental and Property Listing sms.php cross site scripting
Weaknesses		CWE-79 CWE-94
References		https://github.com/jiahao412/CVE/issues/3 https://vuldb.com/?ctiid.343490 https://vuldb.com/?id.343490 https://vuldb.com/?submit.741977
Metrics		cvssV2_0 `{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Projectworlds House Rental And Property Listing Project

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-01-30T17:02:07.865Z

Updated: 2026-02-23T09:10:35.818Z

Reserved: 2026-01-30T10:50:08.383Z

Link: CVE-2026-1700

Vulnrichment

Updated: 2026-01-30T19:26:35.552Z

NVD

Status : Analyzed

Published: 2026-01-30T17:16:14.340

Modified: 2026-02-13T18:06:05.110

Link: CVE-2026-1700

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T01:15:05Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object