CVE-2026-7090 - Vulnerability Details

- code-projects Chat System send_message.php cross site scripting

Description

A vulnerability was detected in code-projects Chat System 1.0. This affects an unknown function of the file /admin/send_message.php of the component Chat Interface. The manipulation of the argument msg results in cross site scripting. The attack may be launched remotely. The exploit is now public and may be used.

Published: 2026-04-27

Score: 4.8 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw allows an attacker to inject arbitrary JavaScript code through the msg parameter of the /admin/send_message.php endpoint. When the chat interface renders the message without proper sanitization, the injected script executes in the browsers of any user who views the affected chat message. This can lead to the compromise of the user’s session, defacement of the chat interface, or execution of additional malicious actions, all within the context of the victim’s browser. Based on the description, it is inferred that the typical impact of this XSS flaw is the potential for unauthorized client‑side code execution, but explicit claims of session hijacking or credential theft are not documented in the CVE data.

Affected Systems

Vendors: code‑projects; Product: Chat System version 1.0. The vulnerability resides in the /admin/send_message.php script that processes message submissions. All users who view messages handled by this component, including registered participants and administrators, are potentially exposed.

Risk and Exploitability

The CVSS score of 4.8 denotes moderate severity, while the EPSS score of less than 1% indicates a low current exploitation probability. The flaw is not listed in the CISA KEV catalog. Attackers may target the vulnerability remotely by issuing HTTP requests to the vulnerable admin endpoint and supplying a crafted msg parameter, implying that the attack vector is a remote web request over the public network.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

code-projects

Chat System

affected

Version	Status	Constraints
`1.0`	affected	—

No data.

Vendor Product Confidence Versions

Code-projects

Chat System

95%

Version	Status	Scheme	Platform
`1.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Implement server‑side sanitization or escaping for the msg input to strip or neutralize malicious script content.
Configure a strict Content Security Policy header that limits script execution to trusted sources, mitigating the effect of any residual XSS payloads.
Deploy a Web Application Firewall rule that blocks common XSS payload patterns targeting the msg parameter.
If a vendor patch becomes available, upgrade the Chat System to the latest version that addresses this cross‑site scripting flaw.

Generated by OpenCVE AI on April 28, 2026 at 13:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00011.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://code-projects.org/
https://gist.github.com/higordiego/4683bee16b197643744159b76d0c1ea6
https://vuldb.com/submit/800383
https://vuldb.com/vuln/359665
https://vuldb.com/vuln/359665/cti

History

Mon, 27 Apr 2026 13:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 27 Apr 2026 05:30:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was detected in code-projects Chat System 1.0. This affects an unknown function of the file /admin/send_message.php of the component Chat Interface. The manipulation of the argument msg results in cross site scripting. The attack may be launched remotely. The exploit is now public and may be used.
Title		code-projects Chat System send_message.php cross site scripting
First Time appeared		Code-projects Code-projects chat System
Weaknesses		CWE-79 CWE-94
CPEs		cpe:2.3:a:code-projects:chat_system::::::::
Vendors & Products		Code-projects Code-projects chat System
References		https://code-projects.org/ https://gist.github.com/higordiego/4683bee16b197643744159b76d0c1ea6 https://vuldb.com/submit/800383 https://vuldb.com/vuln/359665 https://vuldb.com/vuln/359665/cti
Metrics		cvssV2_0 `{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Code-projects Chat System

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-27T05:15:09.222Z

Updated: 2026-04-27T12:06:41.898Z

Reserved: 2026-04-26T08:25:57.631Z

Link: CVE-2026-7090

Vulnrichment

Updated: 2026-04-27T12:06:35.040Z

NVD

Status : Deferred

Published: 2026-04-27T06:16:04.280

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-7090

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T13:15:31Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object