Description
XinLiangCoder php_api_doc through commit 1ce5bbf contains a reflected cross-site scripting vulnerability in list_method.php that allows remote attackers to execute arbitrary JavaScript in a victim's browser by injecting malicious code through the f parameter. Attackers can craft a malicious URL with unsanitized input in the GET request parameter that is output directly to the page without proper neutralization, enabling session hijacking, credential theft, or malware distribution within the application context.
Published: 2026-03-20
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

XinLiangCoder php_api_doc contains a reflected cross‑site scripting flaw in list_method.php. The vulnerability arises when the f parameter of a GET request is reflected back to the browser without sanitization, allowing an attacker to inject arbitrary JavaScript. When a victim visits the crafted URL, the injected code runs in the context of the application, enabling attacks such as session hijacking, credential theft, or malware delivery.

Affected Systems

The flaw affects all releases of XinLiangCoder php_api_doc that incorporate commit 1ce5bbf, which introduced the vulnerability. Any deployment built before this commit is vulnerable; versions after that commit are presumed safe if the change was corrected, though no specific version numbers are listed.

Risk and Exploitability

The vulnerability has a CVSS score of 5.1, indicating moderate severity. The EPSS score is below 1 %, suggesting a low likelihood of widespread exploitation. It is not listed in the CISA KEV catalog. Exploitation requires a remote attacker to craft a malicious URL containing unsanitized input in the f parameter and for a victim to click the link, at which point the payload is executed.

Generated by OpenCVE AI on April 14, 2026 at 03:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor patch that addresses the issue once it becomes available; update to the latest stable release if it contains the fix.
  • If a patch is not yet released, modify the application to sanitize or escape the value of the f parameter before rendering it in the response.
  • Test the mitigation by sending benign and malicious payloads to confirm that the f parameter is no longer reflected.
  • Regularly review vendor advisories for php_api_doc and apply future patches as they are released.

Generated by OpenCVE AI on April 14, 2026 at 03:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 01:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:xinliangcoder:php_api_doc:*:*:*:*:*:*:*:*

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Xinliangcoder
Xinliangcoder php Api Doc
Vendors & Products Xinliangcoder
Xinliangcoder php Api Doc

Fri, 20 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Fri, 20 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
Description XinLiangCoder php_api_doc through commit 1ce5bbf contains a reflected cross-site scripting vulnerability in list_method.php that allows remote attackers to execute arbitrary JavaScript in a victim's browser by injecting malicious code through the f parameter. Attackers can craft a malicious URL with unsanitized input in the GET request parameter that is output directly to the page without proper neutralization, enabling session hijacking, credential theft, or malware distribution within the application context.
Title XinLiangCoder / php_api_doc Reflected XSS via list_method.php
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Xinliangcoder Php Api Doc
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-23T15:44:20.725Z

Reserved: 2026-03-16T18:11:41.758Z

Link: CVE-2026-32844

cve-icon Vulnrichment

Updated: 2026-03-20T21:28:24.727Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T18:16:16.280

Modified: 2026-04-14T01:19:15.420

Link: CVE-2026-32844

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:43:47Z

Weaknesses