Scan free
LOWCVE-2026-6162CVSS 3.5

CVE-2026-6162: XSS in PHPGurukul Company Visitor Management System

Platform

php

Component

phpgurukul-company-visitor-management-system

Fixed in

2.0.1

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026
View on NVD
Save

CVE-2026-6162 describes a cross-site scripting (XSS) vulnerability discovered in PHPGurukul Company Visitor Management System. This flaw allows attackers to inject malicious scripts, potentially leading to session hijacking or defacement. The vulnerability affects versions 2.0.0 through 2.0 and is exploitable remotely. A patch is expected from the vendor.

Impact and Attack Scenarios

Successful exploitation of CVE-2026-6162 allows an attacker to inject arbitrary JavaScript code into the web application. This code will then be executed in the context of the user's browser, potentially granting the attacker access to sensitive information like session cookies. An attacker could leverage this to impersonate legitimate users, perform actions on their behalf, or redirect them to malicious websites. The impact is amplified if the application handles sensitive data or integrates with other systems, as the attacker could potentially gain access to those resources as well. This vulnerability shares similarities with other XSS flaws where user-supplied input is not properly sanitized before being rendered in the browser.

Exploitation Context

CVE-2026-6162 has been publicly disclosed and a proof-of-concept may be available. The CVSS score is LOW, suggesting that exploitation may require specific conditions or user interaction. As of the publication date (2026-04-13), there is no indication of active exploitation campaigns targeting this vulnerability. Monitor security advisories from PHPGurukul for updates and further guidance.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh
Reports1 threat report

EPSS

0.03% (9% percentile)

CISA SSVC

Exploitationpoc
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R3.5LOWAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredLowAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityNoneRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
None — no confidentiality impact. Attacker cannot read protected data.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentphpgurukul-company-visitor-management-system
VendorPHPGurukul
Affected rangeFixed in
2.0 – 2.02.0.1

Weakness Classification (CWE)

CWE-79CWE-94

Timeline

  1. Reserved
  2. Published
  3. EPSS updated
Unpatched — 41 days since disclosure

Mitigation and Workarounds

The primary mitigation for CVE-2026-6162 is to upgrade to a patched version of PHPGurukul Company Visitor Management System as soon as it becomes available. Until the patch is applied, implement temporary mitigations such as strict input validation on the 'fromdate' parameter in /bwdates-reports-details.php. This should include whitelisting allowed characters and formats, and rejecting any input that does not conform to the expected pattern. Additionally, implement robust output encoding to prevent the browser from interpreting the injected script as executable code. Consider using a Web Application Firewall (WAF) with XSS protection rules to filter out malicious requests.

How to fix

Update the PHPGurukul Company Visitor Management System to the latest available version to mitigate the XSS vulnerability. Verify the vendor documentation for specific update instructions. Implement additional security measures, such as input validation and sanitization, to prevent future XSS attacks.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-6162 — XSS in PHPGurukul Company Visitor Management System?

CVE-2026-6162 is a cross-site scripting (XSS) vulnerability in PHPGurukul Company Visitor Management System versions 2.0.0–2.0, allowing attackers to inject malicious scripts via the 'fromdate' parameter.

Am I affected by CVE-2026-6162 in PHPGurukul Company Visitor Management System?

If you are using PHPGurukul Company Visitor Management System version 2.0.0–2.0 and have not applied a patch, you are potentially affected by this vulnerability.

How do I fix CVE-2026-6162 in PHPGurukul Company Visitor Management System?

The recommended fix is to upgrade to a patched version of PHPGurukul Company Visitor Management System. Until then, implement input validation and output encoding.

Is CVE-2026-6162 being actively exploited?

As of the publication date, there is no confirmed evidence of active exploitation, but a proof-of-concept may be available.

Where can I find the official PHPGurukul advisory for CVE-2026-6162?

Refer to the PHPGurukul website or security advisories for the official advisory regarding CVE-2026-6162.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs