Platform
php
Component
cve_choco_5
Fixed in
1.0.1
CVE-2026-2159 describes a cross-site scripting (XSS) vulnerability discovered in SourceCodester Simple Responsive Tourism Website version 1.0. This flaw allows an attacker to inject malicious scripts into the website, potentially stealing user data or performing actions on their behalf. The vulnerability resides within the registration process, specifically in the handling of firstname, lastname, and username parameters. A patch is expected to address this issue.
Successful exploitation of CVE-2026-2159 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser. This can lead to a variety of malicious outcomes, including session hijacking, defacement of the website, and redirection to phishing sites. The attacker could potentially harvest sensitive user information, such as login credentials or personal details. Given the tourism-focused nature of the website, data like booking information and payment details could also be at risk. The remote accessibility of the vulnerability significantly broadens the potential attack surface.
A public proof-of-concept (PoC) for CVE-2026-2159 has been published, indicating a relatively high likelihood of exploitation. The vulnerability was disclosed on 2026-02-08. It is not currently listed on CISA KEV, but its ease of exploitation warrants monitoring. Active campaigns targeting this vulnerability are possible given the availability of the PoC.
Exploit Status
EPSS
0.01% (3% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-2159 is to upgrade to a patched version of SourceCodester Simple Responsive Tourism Website as soon as it becomes available. Until an upgrade is possible, consider implementing input validation and sanitization on the firstname, lastname, and username parameters within the /tourism/classes/Master.php?f=register file. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide a layer of protection. Regularly review and update server-side code to prevent similar vulnerabilities from arising.
Update to a patched version of the software. If no version is available, it is recommended to sanitize the inputs of the firstname, lastname, and username fields to prevent the injection of malicious code.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-2159 is a cross-site scripting (XSS) vulnerability affecting SourceCodester Simple Responsive Tourism Website version 1.0, allowing attackers to inject malicious scripts.
If you are using SourceCodester Simple Responsive Tourism Website version 1.0, you are potentially affected by this vulnerability. Upgrade as soon as a patch is available.
The recommended fix is to upgrade to a patched version of SourceCodester Simple Responsive Tourism Website. Until then, implement input validation and WAF rules.
A public proof-of-concept exists, suggesting a high probability of exploitation. Monitor your systems and implement mitigations.
Refer to the SourceCodester website and relevant security forums for updates and advisories regarding CVE-2026-2159.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.