Scan free
MEDIUMCVE-2026-5825CVSS 4.3

CVE-2026-5825: XSS in Simple Laundry System 1.0

Platform

php

Component

simple-laundry-system

Fixed in

1.0.1

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026
View on NVD
Save

CVE-2026-5825 describes a cross-site scripting (XSS) vulnerability discovered in Simple Laundry System, versions 1.0.0 through 1.0. This flaw allows attackers to inject malicious scripts into the application, potentially stealing user data or performing actions on their behalf. The vulnerability resides within the /delmemberinfo.php file and is triggered by manipulating the userid argument. A public exploit is now available.

Impact and Attack Scenarios

Successful exploitation of CVE-2026-5825 enables an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious outcomes, including session hijacking, defacement of the application, and redirection to phishing sites. Sensitive user data, such as login credentials or personal information, could be compromised. Given the public availability of an exploit, the risk of widespread exploitation is significant, particularly for systems with vulnerable versions still deployed.

Exploitation Context

CVE-2026-5825 is currently considered a high-risk vulnerability due to the public availability of an exploit. While no active campaigns have been definitively linked to this specific CVE, the ease of exploitation makes it a likely target for opportunistic attackers. The vulnerability was publicly disclosed on 2026-04-09, indicating a relatively short timeframe between discovery and public awareness.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.01% (1% percentile)

CISA SSVC

Exploitationpoc
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R4.3MEDIUMAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityNoneRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
None — no confidentiality impact. Attacker cannot read protected data.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentsimple-laundry-system
Vendorcode-projects
Affected rangeFixed in
1.0 – 1.01.0.1

Weakness Classification (CWE)

CWE-79CWE-94

Timeline

  1. Reserved
  2. Published
  3. EPSS updated
Unpatched — 45 days since disclosure

Mitigation and Workarounds

The primary mitigation for CVE-2026-5825 is to upgrade Simple Laundry System to a patched version as soon as it becomes available. Until an upgrade is possible, consider implementing input validation and sanitization on the userid parameter in /delmemberinfo.php to prevent malicious script injection. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Regularly review and update your WAF rules to ensure they are effective against emerging XSS techniques.

How to fix

Update the Simple Laundry System to the latest available version to mitigate the XSS (Cross-Site Scripting) vulnerability. Review and sanitize the 'userid' user input before using it in any context that could generate HTML. Implement additional security measures, such as output encoding, to prevent XSS attacks.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-5825 — XSS in Simple Laundry System 1.0?

CVE-2026-5825 is a cross-site scripting (XSS) vulnerability in Simple Laundry System versions 1.0.0–1.0, allowing attackers to inject malicious scripts via the 'userid' parameter in /delmemberinfo.php.

Am I affected by CVE-2026-5825 in Simple Laundry System 1.0?

If you are running Simple Laundry System version 1.0.0 or 1.0, you are potentially affected by this XSS vulnerability. Check your version and apply the recommended mitigation.

How do I fix CVE-2026-5825 in Simple Laundry System 1.0?

The recommended fix is to upgrade to a patched version of Simple Laundry System. Until then, implement input validation and sanitization on the 'userid' parameter and consider using a WAF.

Is CVE-2026-5825 being actively exploited?

A public exploit exists, increasing the likelihood of exploitation. While no confirmed active campaigns are known, the ease of exploitation makes it a potential target.

Where can I find the official Simple Laundry System advisory for CVE-2026-5825?

Refer to the Simple Laundry System project's official website or security advisory page for updates and the latest information regarding CVE-2026-5825.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs