Plattform
php
Behoben in
1.0.1
A cross-site scripting (XSS) vulnerability has been identified in the Online Product Reservation System version 1.0. This flaw allows attackers to inject malicious scripts into the application, potentially leading to session hijacking or defacement. The vulnerability resides within an unknown function of the handgunner-administrator/prod.php file. A fix is available, and immediate action is advised.
Successful exploitation of CVE-2026-0586 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to a variety of malicious actions, including stealing session cookies, redirecting users to phishing sites, or modifying the content of the web page. The remote nature of the vulnerability means that an attacker does not need to be on the same network as the target system to exploit it. Given the public availability of an exploit, the risk of immediate exploitation is high.
The exploit for CVE-2026-0586 is publicly available, significantly increasing the likelihood of exploitation. The vulnerability has been added to the NVD database on 2026-01-05. Due to the ease of exploitation and public availability of the exploit, the probability of exploitation is considered high. No KEV listing or confirmed active campaigns are currently known.
Organizations using the Online Product Reservation System version 1.0 are at risk, particularly those with publicly accessible instances. Shared hosting environments are especially vulnerable, as a compromised account on one site could potentially be used to exploit this vulnerability on other sites hosted on the same server.
• generic web:
curl -I 'http://your-target-domain.com/handgunner-administrator/prod.php?cat=<script>alert(1)</script>' | grep -i 'content-type: text/html'• generic web:
curl 'http://your-target-domain.com/handgunner-administrator/prod.php?cat=<script>alert(1)</script>' | grep 'alert(1)'disclosure
Exploit-Status
EPSS
0.07% (21% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-0586 is to upgrade to a patched version of the Online Product Reservation System. If upgrading is not immediately possible, implement a Web Application Firewall (WAF) rule to filter out requests containing suspicious characters in the 'cat' parameter of the prod.php endpoint. Input validation on the server-side, specifically sanitizing user-supplied input before rendering it in the browser, is also crucial. Carefully review the code in handgunner-administrator/prod.php for other potential vulnerabilities. After upgrade, confirm by attempting to inject a simple XSS payload (e.g., <script>alert(1)</script>) via the 'cat' parameter; it should be properly sanitized or rejected.
Aktualisieren Sie auf eine gepatchte Version oder implementieren Sie Eingangsvalidierungsmaßnahmen für die Variable 'cat' in der Datei prod.php, um die Ausführung von XSS-Code zu verhindern. Validieren und maskieren Sie die vom Benutzer bereitgestellten Daten, bevor Sie sie auf der Webseite anzeigen.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-0586 is a cross-site scripting vulnerability affecting the Online Product Reservation System version 1.0, allowing attackers to inject malicious scripts via the 'cat' parameter in prod.php.
You are affected if you are using Online Product Reservation System version 1.0 and have not applied the available patch. Check your version and upgrade immediately.
Upgrade to a patched version of the Online Product Reservation System. If upgrading is not possible, implement a WAF rule to filter malicious input and perform server-side input validation.
Due to the public availability of an exploit, CVE-2026-0586 is likely being actively exploited. Prompt mitigation is crucial.
Refer to the vendor's website or security advisories for the Online Product Reservation System for the official advisory regarding CVE-2026-0586.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.