CVE-2026-4969 - Vulnerability Details

Description

A vulnerability was identified in code-projects Social Networking Site 1.0. The impacted element is an unknown function of the file /home.php of the component Alert Handler. The manipulation of the argument content leads to cross site scripting. Remote exploitation of the attack is possible. The exploit is publicly available and might be used.

Published: 2026-03-27

Score: 5.1 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A vulnerability exists in the Alert Handler’s /home.php of the code‑projects Social Networking Site version 1.0. An attacker can craft a malicious payload in the content argument that is not properly escaped, resulting in cross‑site scripting. The injected JavaScript executes in the victim’s browser when they view the affected page, allowing arbitrary script execution in the client context. The weakness aligns with CWE‑79 and the code‑injection profile points to CWE‑94.

Affected Systems

The flaw is limited to instances of code‑projects Social Networking Site 1.0 that expose the /home.php endpoint of the Alert Handler component. No other products or versions are currently listed as affected, so only this single product and component are confirmed vulnerable.

Risk and Exploitability

The CVSS v3.1 base score of 5.1 suggests moderate severity. EPSS data is not available and the vulnerability is not included in CISA’s KEV catalog. The description notes remote exploitation and a publicly available exploit, indicating that the attack vector is web‑based: an adversary supplies a crafted content value, triggers the vulnerable page, and the victim’s browser runs the injected code. Because the flaw is client‑side, the attacker does not need to compromise the server, but can still carry out credential theft, session hijacking, or defacement if the victim’s session is active.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

code-projects

Social Networking Site

affected

Version	Status	Constraints
`1.0`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Check the code‑projects official website for an updated version or patch that addresses the XSS flaw
If no patch is immediately available, implement server-side input validation and output encoding for the content argument before it is rendered in /home.php
Apply a Content‑Security‑Policy header to restrict the execution of injected scripts
Disable or remove the Alert Handler feature if it is not required for the site’s functionality

Generated by OpenCVE AI on March 27, 2026 at 20:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://code-projects.org/
https://github.com/ahmadmarz10-hub/CVEsMarz/blob/main/Stored%20Cross-Site%20Scripting%20(XSS)%20in%20PHP%20Social%20Networking%20Site.md
https://vuldb.com/?ctiid.353856
https://vuldb.com/?id.353856
https://vuldb.com/?submit.777815

History

Fri, 27 Mar 2026 18:45:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was identified in code-projects Social Networking Site 1.0. The impacted element is an unknown function of the file /home.php of the component Alert Handler. The manipulation of the argument content leads to cross site scripting. Remote exploitation of the attack is possible. The exploit is publicly available and might be used.
Title		code-projects Social Networking Site Alert home.php cross site scripting
First Time appeared		Code-projects Code-projects social Networking Site
Weaknesses		CWE-79 CWE-94
CPEs		cpe:2.3:a:code-projects:social_networking_site::::::::
Vendors & Products		Code-projects Code-projects social Networking Site
References		https://code-projects.org/ https://github.com/ahmadmarz10-hub/CVEsMarz/blob/main/Stored%20Cross-Site%20Scripting%20(XSS)%20in%20PHP%20Social%20Networking%20Site.md https://vuldb.com/?ctiid.353856 https://vuldb.com/?id.353856 https://vuldb.com/?submit.777815
Metrics		cvssV2_0 `{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Code-projects Social Networking Site

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-03-27T18:24:11.735Z

Updated: 2026-03-27T18:24:11.735Z

Reserved: 2026-03-27T08:51:43.819Z

Link: CVE-2026-4969

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-03-27T19:16:44.387

Modified: 2026-03-27T19:16:44.387

Link: CVE-2026-4969

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-27T20:27:45Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object