CVE-2026-4626 - Vulnerability Details

- projectworlds Lawyer Management System lawyer_booking.php cross site scripting

Description

A vulnerability has been found in projectworlds Lawyer Management System 1.0. This impacts an unknown function of the file /lawyer_booking.php. The manipulation of the argument Description leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

Published: 2026-03-24

Score: 5.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A vulnerability in the Lawyer Management System allows an attacker to inject arbitrary script code through the Description argument in lawyer_booking.php. The flaw can be exploited remotely by sending a crafted web request, leading to untrusted code execution inside the victim’s browser. This could enable session hijacking, credential theft, or phishing attacks against users of the application.

Affected Systems

ProjectWorlds Online Lawyer Management System version 1.0 is affected, specifically the lawyer_booking.php component. No other versions are mentioned in the current data.

Risk and Exploitability

The vulnerability has a CVSS score of 5.1, indicating a moderate severity. The EPSS score is below 1% and the issue is not listed in the CISA KEV catalog, suggesting that exploitation is currently uncommon. Attackers would need to deliver a malicious Description value to a user’s browser, making the threat largely dependent on the attacker’s ability to target victims through the web application.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

projectworlds

Lawyer Management System

affected

Version	Status	Constraints
`1.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:projectworlds:online_lawyer_management_system:1.0:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Projectworlds

Leave Management System

93%

Version	Status	Scheme	Platform
`[1.0,1.0]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Validate and sanitize the 'Description' input before processing or storing it.
Apply proper output encoding when displaying any user‑supplied data from lawyer_booking.php.
Review all other input fields in the application for similar injection weaknesses and apply necessary sanitization.
Check the vendor’s website or repository for a newer release or patch that addresses the XSS issue.
Implement monitoring for suspicious requests to lawyer_booking.php and consider deploying a Web Application Firewall with XSS protection rules.

Generated by OpenCVE AI on April 8, 2026 at 20:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00033.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/eqiya17/collection-of-vulnerability/issues/2
https://vuldb.com/?ctiid.352494
https://vuldb.com/?id.352494
https://vuldb.com/?submit.775791

History

Wed, 08 Apr 2026 19:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Projectworlds online Lawyer Management System
CPEs		cpe:2.3:a:projectworlds:online_lawyer_management_system:1.0:::::::*
Vendors & Products		Projectworlds online Lawyer Management System

Thu, 26 Mar 2026 13:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 24 Mar 2026 10:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Projectworlds Projectworlds leave Management System
Vendors & Products		Projectworlds Projectworlds leave Management System

Tue, 24 Mar 2026 03:30:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability has been found in projectworlds Lawyer Management System 1.0. This impacts an unknown function of the file /lawyer_booking.php. The manipulation of the argument Description leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
Title		projectworlds Lawyer Management System lawyer_booking.php cross site scripting
Weaknesses		CWE-79 CWE-94
References		https://github.com/eqiya17/collection-of-vulnerability/issues/2 https://vuldb.com/?ctiid.352494 https://vuldb.com/?id.352494 https://vuldb.com/?submit.775791
Metrics		cvssV2_0 `{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Projectworlds Leave Management System Online Lawyer Management System

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-03-24T02:46:13.972Z

Updated: 2026-03-26T12:29:09.031Z

Reserved: 2026-03-23T06:26:24.125Z

Link: CVE-2026-4626

Vulnrichment

Updated: 2026-03-26T12:29:05.468Z

NVD

Status : Analyzed

Published: 2026-03-24T04:17:25.100

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-4626

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-09T08:29:39Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object