Plattform
php
Komponente
cve_choco_5
Behoben in
1.0.1
CVE-2026-2159 describes a cross-site scripting (XSS) vulnerability discovered in SourceCodester Simple Responsive Tourism Website version 1.0. This flaw allows an attacker to inject malicious scripts into the website, potentially stealing user data or performing actions on their behalf. The vulnerability resides within the registration process, specifically in the handling of firstname, lastname, and username parameters. A patch is expected to address this issue.
Successful exploitation of CVE-2026-2159 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser. This can lead to a variety of malicious outcomes, including session hijacking, defacement of the website, and redirection to phishing sites. The attacker could potentially harvest sensitive user information, such as login credentials or personal details. Given the tourism-focused nature of the website, data like booking information and payment details could also be at risk. The remote accessibility of the vulnerability significantly broadens the potential attack surface.
A public proof-of-concept (PoC) for CVE-2026-2159 has been published, indicating a relatively high likelihood of exploitation. The vulnerability was disclosed on 2026-02-08. It is not currently listed on CISA KEV, but its ease of exploitation warrants monitoring. Active campaigns targeting this vulnerability are possible given the availability of the PoC.
Small and medium-sized businesses utilizing SourceCodester Simple Responsive Tourism Website version 1.0 for their online booking and tourism services are particularly at risk. Shared hosting environments where multiple websites share the same server resources are also vulnerable, as a compromise of one site could potentially impact others.
• php / web:
curl -I 'http://your-website.com/tourism/classes/Master.php?f=register&firstname=<script>alert(1)</script>' | grep HTTP/1.1• generic web:
grep -i 'firstname=<script' /var/log/apache2/access.logdisclosure
Exploit-Status
EPSS
0.01% (3% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-2159 is to upgrade to a patched version of SourceCodester Simple Responsive Tourism Website as soon as it becomes available. Until an upgrade is possible, consider implementing input validation and sanitization on the firstname, lastname, and username parameters within the /tourism/classes/Master.php?f=register file. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide a layer of protection. Regularly review and update server-side code to prevent similar vulnerabilities from arising.
Aktualisieren Sie auf eine gepatchte Version der Software. Wenn keine Version verfügbar ist, wird empfohlen, die Eingaben der Felder firstname, lastname und username zu bereinigen, um die Injektion von bösartigem Code zu verhindern.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-2159 is a cross-site scripting (XSS) vulnerability affecting SourceCodester Simple Responsive Tourism Website version 1.0, allowing attackers to inject malicious scripts.
If you are using SourceCodester Simple Responsive Tourism Website version 1.0, you are potentially affected by this vulnerability. Upgrade as soon as a patch is available.
The recommended fix is to upgrade to a patched version of SourceCodester Simple Responsive Tourism Website. Until then, implement input validation and WAF rules.
A public proof-of-concept exists, suggesting a high probability of exploitation. Monitor your systems and implement mitigations.
Refer to the SourceCodester website and relevant security forums for updates and advisories regarding CVE-2026-2159.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.