CVE-2026-5806 - Vulnerability Details

- code-projects Easy Blog Site update.php cross site scripting

Description

A security vulnerability has been detected in code-projects Easy Blog Site 1.0. This affects an unknown function of the file /posts/update.php. The manipulation of the argument postTitle leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used.

Published: 2026-04-08

Score: 5.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in Easy Blog Site version 1.0, specifically in the /posts/update.php script that processes the postTitle field. An attacker can supply malicious JavaScript in the postTitle value, which the application stores and later renders without proper encoding, enabling a stored cross‑site scripting attack. The main consequences are the takeover of user sessions, site defacement, or distribution of malware to visitors. The weakness corresponds to input validation failures (CWE‑79) and code injection possibilities (CWE‑94).

Affected Systems

All installations of code‑projects Easy Blog Site version 1.0 that include the /posts/update.php routine are affected, as the uncovered flaw involves the postTitle parameter in that script. No other versions or sub‑versions were specifically identified in the advisory.

Risk and Exploitability

The flaw carries a CVSS base score of 5.1, placing it in the medium severity range. EPSS information is not available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting no large‑scale exploitation reports yet. However, the description indicates the exploit is available over the Internet and can be triggered remotely by delivering a crafted postTitle payload that is subsequently rendered in the browser. Because the stolen input is stored, any user who views the compromised post will be affected, raising the potential impact for confidentiality, integrity, and availability.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

code-projects

Easy Blog Site

affected

Version	Status	Constraints
`1.0`	affected	—

No data.

Vendor Product Confidence Versions

Code-projects

Easy Blog Site

100%

Version	Status	Scheme	Platform
`1.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply an official patch or update to Easy Blog Site 1.0 when a fix is released.
If no patch exists, modify the /posts/update.php handler to sanitize and escape all content stored in postTitle.
Implement a strict whitelist for allowed characters or HTML tags in postTitle to prevent script injection.
Add security headers such as X‑Content‑Type‑Options: nosniff, X‑XSS‑Protection, and a Content‑Security‑Policy that restricts script origins.
Monitor application logs for suspicious input patterns and conduct regular penetration testing to detect similar stored XSS flaws.

Generated by OpenCVE AI on April 8, 2026 at 22:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00031.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://code-projects.org/
https://github.com/ahmadmarz10-hub/CVEsMarz/blob/main/Stored%20Cross-Site%20Scripting%20(XSS)%20in%20Easy%20Blog%20Site%20PHP%20postTitle%20Parameter.md
https://vuldb.com/submit/787045
https://vuldb.com/vuln/356244
https://vuldb.com/vuln/356244/cti

History

Fri, 10 Apr 2026 04:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 09 Apr 2026 08:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Code-projects Code-projects easy Blog Site
Vendors & Products		Code-projects Code-projects easy Blog Site

Wed, 08 Apr 2026 21:30:00 +0000

Type	Values Removed	Values Added
Description		A security vulnerability has been detected in code-projects Easy Blog Site 1.0. This affects an unknown function of the file /posts/update.php. The manipulation of the argument postTitle leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used.
Title		code-projects Easy Blog Site update.php cross site scripting
Weaknesses		CWE-79 CWE-94
References		https://code-projects.org/ https://github.com/ahmadmarz10-hub/CVEsMarz/blob/main/Stored%20Cross-Site%20Scripting%20(XSS)%20in%20Easy%20Blog%20Site%20PHP%20postTitle%20Parameter.md https://vuldb.com/submit/787045 https://vuldb.com/vuln/356244 https://vuldb.com/vuln/356244/cti
Metrics		cvssV2_0 `{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Code-projects Easy Blog Site

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-08T21:15:17.524Z

Updated: 2026-04-09T19:40:42.658Z

Reserved: 2026-04-08T14:39:48.192Z

Link: CVE-2026-5806

Vulnrichment

Updated: 2026-04-09T19:40:37.668Z

NVD

Status : Deferred

Published: 2026-04-08T22:16:24.683

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-5806

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-09T08:27:09Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object