Description
A vulnerability has been found in code-projects Vehicle Showroom Management System 1.0. The affected element is an unknown function of the file /BranchManagement/ServiceAndSalesReport.php. The manipulation of the argument BRANCH_ID leads to cross site scripting. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used.
Published: 2026-04-10
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross Site Scripting
Action: Apply Patch
AI Analysis

Impact

The flaw in ServiceAndSalesReport.php allows an attacker to inject arbitrary scripts through the BRANCH_ID parameter because the input is not sanitized. When the affected page is rendered, any malicious script is executed in the user’s browser context, enabling client‑side code execution.

Affected Systems

code-projects Vehicle Showroom Management System version 1.0 is affected. Any installation that includes /BranchManagement/ServiceAndSalesReport.php and exposes the BRANCH_ID query parameter is vulnerable.

Risk and Exploitability

The CVSS score of 5.3 signifies a moderate risk and the advisory states remote exploitation is possible. No EPSS score is available, but the public disclosure and existence of an exploit raise the likelihood of use. Attackers can craft HTTP requests containing malicious payloads in BRANCH_ID, and if a user visits the resulting page, the script runs in their browser.

Generated by OpenCVE AI on April 10, 2026 at 09:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Identify all deployments of code-projects Vehicle Showroom Management System version 1.0
  • Obtain and install any vendor‑supplied patch or newer release that addresses the XSS flaw
  • If no patch is available, apply server‑side validation or escaping to the BRANCH_ID input before outputting it
  • Deploy a web application firewall to detect and block suspicious requests to the BRANCH_ID parameter

Generated by OpenCVE AI on April 10, 2026 at 09:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Code-projects
Code-projects vehicle Showroom Management System
Vendors & Products Code-projects
Code-projects vehicle Showroom Management System

Fri, 10 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 08:15:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in code-projects Vehicle Showroom Management System 1.0. The affected element is an unknown function of the file /BranchManagement/ServiceAndSalesReport.php. The manipulation of the argument BRANCH_ID leads to cross site scripting. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used.
Title code-projects Vehicle Showroom Management System ServiceAndSalesReport.php cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Code-projects Vehicle Showroom Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-10T15:14:30.174Z

Reserved: 2026-04-09T16:22:31.531Z

Link: CVE-2026-6035

cve-icon Vulnrichment

Updated: 2026-04-10T15:14:24.880Z

cve-icon NVD

Status : Deferred

Published: 2026-04-10T08:16:27.110

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-6035

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T13:06:18Z

Weaknesses