A stored cross‑site scripting flaw resides in the visname field of visitors‑form.php in Apartment Visitors Management System V1.1. An authenticated user can submit malicious JavaScript that is later rendered when the entry is viewed in manage‑newvisitors.php or visitor‑detail.php. Because the payload is executed in the context of the victim’s browser, the attacker can deface pages, hijack sessions, and run any client‑side code, thereby compromising confidentiality, integrity, and availability of the application for logged‑in users.

The affected product is Apartment Visitors Management System V1.1, a PHP/MySQL based web application used for managing apartment visitor logs. The vulnerability is tied specifically to the visname parameter of visitors‑form.php and impacts any instance running this version that allows authenticated users to create visitor entries.

No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalogue. However, the flaw can be exploited by any authenticated user without requiring additional privileges or special conditions, making it widely exploitable within the environment it is deployed. The CVSS base score of 5.4 indicates a medium severity for this XSS flaw. The attacker does not need network access beyond the normal login channel, and based on the description, it is inferred that the attack vector is local to a logged‑in session.