Description
A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Zoo Management System v1.0. The vulnerability is located in the login page, specifically within the msg parameter. The application reflects the content of the msg parameter back to the user without proper HTML encoding or sanitization. This allows remote attackers to inject arbitrary web script or HTML via a crafted URL.
Published: 2026-04-01
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

A reflected cross‑site scripting flaw exists in the login page of the SourceCodester Zoo Management System. The "msg" query parameter is rendered back to the user without HTML encoding or sanitisation, which lets an attacker inject arbitrary script or markup into the page. The impact is that the injected code will execute in the context of the victim’s browser. The potential consequences – such as session hijacking, credential theft, or site defacement – are inferred from the nature of XSS and are not directly stated in the CVE description.

Affected Systems

The vulnerability affects the SourceCodester Zoo Management System version 1.0 as distributed by SourceCodester. No other vendors or versions are mentioned in the CVE entry.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity. EPSS data is unavailable and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires a specially crafted URL containing malicious content in the "msg" parameter and a victim who follows that link. The attack vector is remote and does not require local access or elevated privileges.

Generated by OpenCVE AI on April 2, 2026 at 04:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a patched version of SourceCodester Zoo Management System v1.0 if one is available from the vendor.
  • If no patch exists, eliminate or move the "msg" parameter out of the query string and validate or sanitise its contents on the server side before reflecting it.
  • Ensure that any user‑supplied data reflected back to the browser is properly HTML‑escaped or encoded.
  • Consider configuring a Content‑Security‑Policy header to mitigate the impact of any residual XSS payloads.

Generated by OpenCVE AI on April 2, 2026 at 04:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Sourcecodester
Sourcecodester zoo Management System
Vendors & Products Sourcecodester
Sourcecodester zoo Management System

Fri, 03 Apr 2026 06:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Title Reflected XSS in SourceCodester Zoo Management System Login
Weaknesses CWE-79

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Zoo Management System v1.0. The vulnerability is located in the login page, specifically within the msg parameter. The application reflects the content of the msg parameter back to the user without proper HTML encoding or sanitization. This allows remote attackers to inject arbitrary web script or HTML via a crafted URL.
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Sourcecodester Zoo Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-01T15:04:04.957Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30526

cve-icon Vulnrichment

Updated: 2026-04-01T15:02:11.629Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-01T15:22:59.277

Modified: 2026-04-03T16:11:11.357

Link: CVE-2026-30526

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T08:59:02Z

Weaknesses