Description
XinLiangCoder php_api_doc through commit 1ce5bbf contains a reflected cross-site scripting vulnerability in list_method.php that allows remote attackers to execute arbitrary JavaScript in a victim's browser by injecting malicious code through the f parameter. Attackers can craft a malicious URL with unsanitized input in the GET request parameter that is output directly to the page without proper neutralization, enabling session hijacking, credential theft, or malware distribution within the application context.
Published: 2026-03-20
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Patch Now
AI Analysis

Impact

The vulnerability is a reflected cross‑site scripting flaw in list_method.php. The f query parameter is echoed directly without any sanitization or encoding. A remote attacker can therefore craft a malicious URL containing JavaScript, which will run in the victim’s browser when the page is loaded. This allows arbitrary code execution that can hijack sessions, steal credentials, or deliver malware within the application’s context.

Affected Systems

The vulnerable code is part of XinLiangCoder’s php_api_doc application, specifically the commit 1ce5bbf1429c077d6e3f0860098099d272e3f3c2. Any instance running that commit or subsequent versions including it remains vulnerable until the issue is patched.

Risk and Exploitability

The CVSS score of 5.1 places the issue in the moderate range. No EPSS score is reported and it is not listed in KEV, but the exploit requires only a malicious link that a user clicks. Because the vulnerability is reflected, an attacker can use social engineering or phishing to deliver the payload, making it a realistic threat to users who visit untrusted URLs.

Generated by OpenCVE AI on March 20, 2026 at 18:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade php_api_doc to a release that removes the insecure echo of the f parameter or that replaces the vulnerable commit
  • If an update is unavailable, sanitize the f parameter server‑side using a function such as htmlspecialchars or OWASP ESAPI before outputting it
  • Limit the allowed values of f by implementing input validation or filtering to accept only expected tokens
  • Apply a strong Content Security Policy to restrict the execution of unexpected scripts in the application

Generated by OpenCVE AI on March 20, 2026 at 18:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 01:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:xinliangcoder:php_api_doc:*:*:*:*:*:*:*:*

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Xinliangcoder
Xinliangcoder php Api Doc
Vendors & Products Xinliangcoder
Xinliangcoder php Api Doc

Fri, 20 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Fri, 20 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
Description XinLiangCoder php_api_doc through commit 1ce5bbf contains a reflected cross-site scripting vulnerability in list_method.php that allows remote attackers to execute arbitrary JavaScript in a victim's browser by injecting malicious code through the f parameter. Attackers can craft a malicious URL with unsanitized input in the GET request parameter that is output directly to the page without proper neutralization, enabling session hijacking, credential theft, or malware distribution within the application context.
Title XinLiangCoder / php_api_doc Reflected XSS via list_method.php
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Xinliangcoder Php Api Doc
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-23T15:44:20.725Z

Reserved: 2026-03-16T18:11:41.758Z

Link: CVE-2026-32844

cve-icon Vulnrichment

Updated: 2026-03-20T21:28:24.727Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T18:16:16.280

Modified: 2026-04-14T01:19:15.420

Link: CVE-2026-32844

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:28:58Z

Weaknesses