CVE-2026-4849 - Vulnerability Details

- code-projects Simple Laundry System Parameter modify.php cross site scripting

Description

A vulnerability was identified in code-projects Simple Laundry System 1.0. This impacts an unknown function of the file /modify.php of the component Parameter Handler. The manipulation of the argument firstName leads to cross site scripting. The attack may be initiated remotely. The exploit is publicly available and might be used.

Published: 2026-03-26

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Simple Laundry System 1.0 contains a flaw in the /modify.php file where the firstName parameter is not properly sanitized, enabling cross‑site scripting. A malicious actor can include JavaScript code in the firstName field, which will execute in the browser of any user who views the affected page. This mechanism is a typical example of CWE‑79, as the vulnerability arises from improper handling of user‑supplied input that is reflected in a rendered web page.

Affected Systems

The issue exists in the code‑projects Simple Laundry System version 1.0. No other versions are mentioned as affected.

Risk and Exploitability

The CVSS base score of 5.3 indicates a moderate severity level, and the EPSS score of less than 1 % suggests that exploitation of this flaw is unlikely to be widespread at present. It is not listed in the CISA KEV catalog. The description states the attack may be initiated remotely via a crafted firstName parameter in an HTTP request. It is unclear whether authentication is required; the data provided does not indicate that only privileged users can trigger the flaw, but remote clients can supply the malicious payload.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

code-projects

Simple Laundry System

affected

Version	Status	Constraints
`1.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:code-projects:simple_laundry_system:1.0:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Code-projects

Simple Laundry System

100%

Version	Status	Scheme	Platform
`1.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply any vendor patch that addresses the XSS flaw in /modify.php for Simple Laundry System 1.0.
If no patch exists, implement server‑side validation or output encoding for the firstName field to prevent injection of executable scripting code.
Deploy a WAF rule that detects and blocks typical XSS payloads targeting the firstName parameter.
Monitor application logs for unusual request patterns and verify that session data remains uncorrupted after applying controls.

Generated by OpenCVE AI on April 3, 2026 at 20:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00033.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://code-projects.org/
https://github.com/kbloow/CVE/issues/2
https://vuldb.com/?ctiid.353154
https://vuldb.com/?id.353154
https://vuldb.com/?submit.776183

History

Fri, 03 Apr 2026 17:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:code-projects:simple_laundry_system:1.0:::::::*

Sat, 28 Mar 2026 03:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 26 Mar 2026 08:15:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was identified in code-projects Simple Laundry System 1.0. This impacts an unknown function of the file /modify.php of the component Parameter Handler. The manipulation of the argument firstName leads to cross site scripting. The attack may be initiated remotely. The exploit is publicly available and might be used.
Title		code-projects Simple Laundry System Parameter modify.php cross site scripting
First Time appeared		Code-projects Code-projects simple Laundry System
Weaknesses		CWE-79 CWE-94
CPEs		cpe:2.3:a:code-projects:simple_laundry_system::::::::
Vendors & Products		Code-projects Code-projects simple Laundry System
References		https://code-projects.org/ https://github.com/kbloow/CVE/issues/2 https://vuldb.com/?ctiid.353154 https://vuldb.com/?id.353154 https://vuldb.com/?submit.776183
Metrics		cvssV2_0 `{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Code-projects Simple Laundry System

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-03-26T07:41:54.393Z

Updated: 2026-03-28T02:12:49.062Z

Reserved: 2026-03-25T14:55:25.341Z

Link: CVE-2026-4849

Vulnrichment

Updated: 2026-03-28T02:12:44.662Z

NVD

Status : Analyzed

Published: 2026-03-26T08:16:22.217

Modified: 2026-04-03T17:52:48.550

Link: CVE-2026-4849

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-03T21:18:04Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object