The flaw stems from an unvalidated input within the showhistory.php script, which causes user‑supplied data to be reflected back into the page without proper encoding. This results in a classic reflected cross‑site scripting vulnerability described by CWE‑79, and the presence of dynamic code execution features indicates potential indirect code injection as CWE‑94. An attacker who supplies crafted parameters to the vulnerable endpoint can execute arbitrary JavaScript in the victim’s browser, enabling cookie theft, session hijacking, or delivery of further malicious payloads. The attack is performed remotely via standard web requests.

Only the code‑projects Simple Flight Ticket Booking System version 1.0 is affected. The vulnerability is localized to the showhistory.php component of that single product; no other vendors, products, or versions are listed as impacted.

The CVSS base score of 5.3 categorizes the issue as medium severity. The EPSS score is reported below 1 %, suggesting a very low probability of exploitation at the time of publication, and the vulnerability is not included in CISA’s KEV catalog. Exploitation requires a remote attacker to lure a victim’s browser to the vulnerable endpoint and supply crafted input; the impact is confined to the browser session and does not provide native code execution or system compromise. Despite the moderate score, the potential for user‑session compromise warrants timely remediation.