CVE-2026-26464 - Vulnerability Details

- Stored Cross‑Site Scripting in Society Management System Portal Allows Remote Script Injection

Description

Stored Cross-Site Scripting (XSS) was found in the /admin/edit_user.php page of Society Management System Portal V1.0, which allows remote attackers to inject and store arbitrary JavaScript code that is executed in users' browsers. This vulnerability can be exploited via the name parameter in a POST HTTP request, leading to execution of malicious scripts when the affected content is viewed by other users, including administrators.

Published: 2026-02-23

Score: 6.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A stored Cross‑Site Scripting flaw was discovered in the edit_user.php page of the Society Management System Portal version 1.0. The vulnerability allows an attacker to inject arbitrary JavaScript into the user name field through a POST request. When another user, including administrators, views the altered content, the malicious script is executed in their browser. This is classified as CWE‑79 and represents a client‑side script injection that does not directly compromise the server.

Affected Systems

The affected product is the Society Management System Portal 1.0 from vendor Kashipara. No other vendors or versions are listed.

Risk and Exploitability

The CVSS base score of 6.1 indicates a moderate severity vulnerability. The EPSS score is less than 1 %, reflecting a low probability that this flaw will be actively exploited in the wild, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. An attacker must craft a POST request to the administrative edit endpoint and then rely on another user to view the stored value for the script to execute. The malicious script runs in the victim’s browser, but does not grant server‑side code execution.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

cpe:2.3:a:kashipara:society_management_system_portal:1.0:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Kashipara

Society Management System Portal

100%

Version	Status	Scheme	Platform
`[1.0,1.0]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Validate and sanitize the name field on the server side to eliminate executable JavaScript before storing it.
Deploy a strict Content Security Policy header that blocks inline scripts and disallows unknown sources.
Apply any vendor‑supplied patch or update to the Society Management System Portal as soon as it becomes available; otherwise monitor the vendor for future releases.

Generated by OpenCVE AI on April 18, 2026 at 19:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00088.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/0xBhushan/Writeups/blob/main/CVE/Kashipara/Society%20Management%20System%20Portal/Stored%20XSS-name.pdf

History

Sat, 18 Apr 2026 20:00:00 +0000

Type	Values Removed	Values Added
Title		Stored Cross‑Site Scripting in Society Management System Portal Allows Remote Script Injection

Thu, 26 Feb 2026 20:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-79
CPEs		cpe:2.3:a:kashipara:society_management_system_portal:1.0:::::::*

Tue, 24 Feb 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 24 Feb 2026 10:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Kashipara Kashipara society Management System Portal
Vendors & Products		Kashipara Kashipara society Management System Portal

Mon, 23 Feb 2026 19:30:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}`

Mon, 23 Feb 2026 17:45:00 +0000

Type	Values Removed	Values Added
Description		Stored Cross-Site Scripting (XSS) was found in the /admin/edit_user.php page of Society Management System Portal V1.0, which allows remote attackers to inject and store arbitrary JavaScript code that is executed in users' browsers. This vulnerability can be exploited via the name parameter in a POST HTTP request, leading to execution of malicious scripts when the affected content is viewed by other users, including administrators.
References		https://github.com/0xBhushan/Writeups/blob/main/CVE/Kashipara/Society%20Management%20System%20Portal/Stored%20XSS-name.pdf

Subscriptions

Kashipara Society Management System Portal

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-02-23T00:00:00.000Z

Updated: 2026-02-26T22:06:10.099Z

Reserved: 2026-02-16T00:00:00.000Z

Link: CVE-2026-26464

Vulnrichment

Updated: 2026-02-23T18:17:18.840Z

NVD

Status : Modified

Published: 2026-02-23T18:25:51.630

Modified: 2026-02-26T23:16:34.463

Link: CVE-2026-26464

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T19:45:08Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object