Platform
php
Fixed in
1.0.1
A cross-site scripting (XSS) vulnerability has been identified in isourcecode Society Management System version 1.0. This flaw resides within the /admin/expenses.php file, specifically in the handling of the 'detail' argument. Successful exploitation allows an attacker to inject malicious scripts, potentially compromising user sessions and data integrity. Affected versions include 1.0. A fix is expected from the vendor.
The XSS vulnerability in isourcecode Society Management System allows an attacker to execute arbitrary JavaScript code in the context of a user's browser. This can lead to various malicious outcomes, including session hijacking, defacement of the application, and redirection to phishing sites. An attacker could steal sensitive information like user credentials or financial data. Given the publicly available exploit, the risk of exploitation is significant, particularly for systems with unpatched installations. The impact is amplified if the application is used to manage sensitive data or handle financial transactions.
CVE-2026-1134 has a publicly available proof-of-concept (PoC), indicating a relatively low barrier to entry for attackers. The vulnerability was disclosed on 2026-01-19. While no active exploitation campaigns have been definitively confirmed, the availability of a PoC significantly increases the likelihood of exploitation. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.01% (3% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-1134 is to upgrade to a patched version of isourcecode Society Management System as soon as it becomes available. Until a patch is released, consider implementing temporary workarounds. Input validation and sanitization on the 'detail' parameter in /admin/expenses.php can help prevent malicious code injection. Web application firewalls (WAFs) configured to detect and block XSS payloads targeting this specific endpoint can also provide a layer of protection. Carefully review and restrict access to the /admin/expenses.php page to authorized personnel only. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple XSS payload into the 'detail' parameter and verifying that it is properly sanitized.
Update to a patched version of the software. If a patched version is not available, it is recommended to sanitize user inputs in the /admin/expenses.php file, especially the 'detail' argument, to prevent the injection of malicious code.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-1134 is a cross-site scripting (XSS) vulnerability affecting isourcecode Society Management System version 1.0. It allows attackers to inject malicious scripts via the /admin/expenses.php file's 'detail' argument.
If you are using isourcecode Society Management System version 1.0, you are potentially affected by this vulnerability. Check your installation and apply the recommended mitigations immediately.
The recommended fix is to upgrade to a patched version of isourcecode Society Management System as soon as it becomes available. Until then, implement input validation and WAF rules.
While no confirmed active exploitation campaigns are currently known, a public proof-of-concept exists, increasing the risk of exploitation.
Refer to the isourcecode Society Management System website or their official security advisory channels for updates and the official advisory regarding CVE-2026-1134.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.