Description
A flaw has been found in code-projects Vehicle Showroom Management System 1.0. Impacted is an unknown function of the file /BranchManagement/ProfitAndLossReport.php. Executing a manipulation of the argument BRANCH_ID can lead to cross site scripting. The attack may be launched remotely. The exploit has been published and may be used.
Published: 2026-04-10
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross-site scripting in ProfitAndLossReport.php allowing execution of arbitrary scripts in user browsers
Action: Patch
AI Analysis

Impact

An input parameter named BRANCH_ID in the ProfitAndLossReport.php file can be manipulated to inject malicious code. This flaw allows an attacker to run arbitrary scripts when the page is viewed, potentially stealing session data or injecting malware. The vulnerability is a typical reflected XSS problem identified under CWE‑79, which can undermine confidentiality and integrity of the web application.

Affected Systems

The affected product is code‑projects Vehicle Showroom Management System version 1.0. The vulnerability resides in an unspecified function of the file /BranchManagement/ProfitAndLossReport.php, and can be triggered from any user who can access that page with a crafted BRANCH_ID value.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate risk. There is no EPSS data and the vulnerability is not listed in CISA’s KEV catalog, but the exploit has been made public and is noted as usable remotely. Attackers can reach the vulnerable endpoint over the network and supply a malicious BRANCH_ID value to inject script payloads that run in the victim’s browser.

Generated by OpenCVE AI on April 10, 2026 at 09:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s patch or upgrade to a newer version of Vehicle Showroom Management System that fixes the XSS issue.
  • Validate and encode the BRANCH_ID parameter on the server side to prevent script injection.
  • Implement a Content Security Policy that restricts executable scripts to trusted origins.
  • If a patch is unavailable, consider disabling or protecting the ProfitAndLossReport.php functionality until a fix is released.

Generated by OpenCVE AI on April 10, 2026 at 09:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 08:15:00 +0000

Type Values Removed Values Added
Description A flaw has been found in code-projects Vehicle Showroom Management System 1.0. Impacted is an unknown function of the file /BranchManagement/ProfitAndLossReport.php. Executing a manipulation of the argument BRANCH_ID can lead to cross site scripting. The attack may be launched remotely. The exploit has been published and may be used.
Title code-projects Vehicle Showroom Management System ProfitAndLossReport.php cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-10T15:54:13.540Z

Reserved: 2026-04-09T16:22:27.635Z

Link: CVE-2026-6034

cve-icon Vulnrichment

Updated: 2026-04-10T15:45:00.930Z

cve-icon NVD

Status : Received

Published: 2026-04-10T08:16:26.900

Modified: 2026-04-10T08:16:26.900

Link: CVE-2026-6034

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:26:25Z

Weaknesses