The vulnerability resides in the administration interface of the Event Management System where an untrusted page parameter is reflected by the file /admin/navbar.php without proper sanitization. This flaw allows an attacker to inject arbitrary HTML and JavaScript code that will be executed in the browser context of any user who visits the crafted URL. The effect is typical client‑side XSS, enabling theft of cookies, impersonation, or manipulation of the page user interface. The weakness maps to CWE‑79 (Cross‑Site Scripting) and also involves PHP code injection (CWE‑94) due to the evaluation of user input by the server. The affected element can be accessed remotely by appending a malicious page value to the URL, so the attack is not limited to local users.

The flaw is present in itsourcecode Event Management System version 1.0. No other versions were identified in the source data. This product is supplied by itsourcecode under the name Event Management System.

The CVSS v3.1 base score of 5.3 indicates a medium severity for the vulnerability. The EPSS probability is reported as less than 1 %, implying that the attack is not widely used or observed in the wild. Nevertheless an exploit has been published and the flaw can be triggered from any remote location with network connectivity to the web application, making it a realistic threat for organizations that run the vulnerable system without a patch or mitigating controls. The flaw is not currently listed in the CISA KEV catalog, but its remote nature and script execution capability warrant proactive attention.