Scan free
LOWCVE-2026-4596CVSS 3.5

CVE-2026-4596: XSS in Lawyer Management System

Platform

php

Component

collection-of-vulnerability

Fixed in

1.0.1

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026
View on NVD
Save

A cross-site scripting (XSS) vulnerability has been identified in the Lawyer Management System version 1.0. This flaw resides in the processing of the /lawyers.php file, specifically concerning the manipulation of the 'first_Name' argument. Successful exploitation could allow an attacker to inject malicious scripts into the application, potentially compromising user data and session integrity. A public proof-of-concept is available, increasing the risk of exploitation.

Impact and Attack Scenarios

The primary impact of CVE-2026-4596 is the potential for cross-site scripting (XSS) attacks. An attacker could inject malicious JavaScript code into the Lawyer Management System through the manipulation of the 'first_Name' parameter within the /lawyers.php file. This injected script could then execute in the context of a legitimate user's browser, allowing the attacker to steal session cookies, redirect users to malicious websites, or deface the application. The remote nature of the exploit means an attacker doesn't need local access to the system to launch the attack. Given the availability of a public proof-of-concept, the risk of exploitation is elevated.

Exploitation Context

CVE-2026-4596 is a relatively low-severity vulnerability, as indicated by its CVSS score of 3.5. However, the availability of a public proof-of-concept significantly increases the likelihood of exploitation. While no active campaigns have been publicly reported, the ease of exploitation makes it a potential target for opportunistic attackers. The vulnerability was publicly disclosed on 2026-03-23.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh
Reports2 threat reports

EPSS

0.03% (8% percentile)

CISA SSVC

Exploitationpoc
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R3.5LOWAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredLowAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityNoneRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
None — no confidentiality impact. Attacker cannot read protected data.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentcollection-of-vulnerability
Vendorprojectworlds
Affected rangeFixed in
1.0 – 1.01.0.1

Weakness Classification (CWE)

CWE-79CWE-94

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated
Unpatched — 62 days since disclosure

Mitigation and Workarounds

The primary mitigation for CVE-2026-4596 is to upgrade to a patched version of the Lawyer Management System. Since a fixed version is not specified, immediate action is crucial. As an interim measure, consider implementing strict input validation and sanitization on the 'first_Name' parameter within the /lawyers.php file. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a layer of protection. Regularly review and update WAF rules to ensure they are effective against emerging XSS techniques.

How to fix

Actualizar a una versión parcheada o aplicar las medidas de seguridad necesarias para evitar la ejecución de código XSS. Validar y limpiar las entradas del usuario, especialmente el campo first_Name en lawyers.php.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-4596 — XSS in Lawyer Management System?

CVE-2026-4596 is a cross-site scripting (XSS) vulnerability affecting Lawyer Management System version 1.0. It allows attackers to inject malicious scripts through the /lawyers.php file's 'first_Name' parameter.

Am I affected by CVE-2026-4596 in Lawyer Management System?

If you are using Lawyer Management System version 1.0, you are potentially affected. Upgrade to a patched version as soon as possible.

How do I fix CVE-2026-4596 in Lawyer Management System?

Upgrade to a patched version of Lawyer Management System. As an interim measure, implement strict input validation and sanitization on the 'first_Name' parameter and consider using a WAF.

Is CVE-2026-4596 being actively exploited?

While no active campaigns have been confirmed, the availability of a public proof-of-concept suggests a heightened risk of exploitation.

Where can I find the official Lawyer Management System advisory for CVE-2026-4596?

Refer to the projectworlds website or relevant security mailing lists for the official advisory regarding CVE-2026-4596.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs