Description
A security vulnerability has been detected in code-projects Home Service System 1.0. The impacted element is an unknown function of the file /booking.php of the component Appointment Booking. The manipulation of the argument fname/lname leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used.
Published: 2026-04-27
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

An input validation flaw in the booking.php file of the Appointment Booking component allows the fname and lname parameters to be manipulated, resulting in cross‑site scripting. The vulnerability can be triggered by a remote attacker submitting malicious data; once injected, scripts execute in the victim’s browser, potentially compromising sessions or enabling further malicious activity.

Affected Systems

The affected product is code‑projects Home Service System version 1.0, specifically the booking.php module within the Appointment Booking component. Users running this release are vulnerable when interacting with the fname and lname input fields.

Risk and Exploitability

The CVSS score of 5.3 categorizes the flaw as moderate in severity, while the EPSS score of less than 1% indicates a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. An attacker can initiate the attack remotely via crafted fname/lname submissions, potentially leading to arbitrary script execution within the context of the application.

Generated by OpenCVE AI on April 28, 2026 at 13:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑issued patch or update the Home Service System to a version that contains the XSS fix.
  • Sanitize the fname and lname inputs and apply appropriate output encoding before rendering them, addressing the input‑validation weakness highlighted by CWE‑79.
  • Implement a Content Security Policy that blocks inline scripts and restricts script loading to trusted sources to reduce the impact of any remaining XSS attempts.

Generated by OpenCVE AI on April 28, 2026 at 13:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Code-projects
Code-projects home Service System
Vendors & Products Code-projects
Code-projects home Service System

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 27 Apr 2026 05:30:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in code-projects Home Service System 1.0. The impacted element is an unknown function of the file /booking.php of the component Appointment Booking. The manipulation of the argument fname/lname leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used.
Title code-projects Home Service System Appointment Booking booking.php cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Code-projects Home Service System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-27T13:29:50.045Z

Reserved: 2026-04-26T08:22:46.277Z

Link: CVE-2026-7089

cve-icon Vulnrichment

Updated: 2026-04-27T13:13:06.399Z

cve-icon NVD

Status : Deferred

Published: 2026-04-27T06:16:04.070

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-7089

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T13:15:31Z

Weaknesses