Platform
php
Component
cve_choco_6
Fixed in
1.0.1
CVE-2026-2160 is a cross-site scripting (XSS) vulnerability affecting SourceCodester Simple Responsive Tourism Website version 1.0. This vulnerability allows an attacker to inject malicious scripts into the website, potentially compromising user accounts and data. The vulnerability resides in the file /tourism/classes/Master.php?f=save_package and is triggered by manipulating the 'Title' parameter. A patch is expected to address this issue.
Successful exploitation of CVE-2026-2160 enables an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious outcomes, including session hijacking, phishing attacks, and defacement of the website. An attacker could steal sensitive user data, such as login credentials or personal information, and potentially gain unauthorized access to the backend system if the user has administrative privileges. The impact is amplified if the website is used to collect sensitive data or process financial transactions.
This vulnerability has been publicly disclosed, increasing the risk of exploitation. While no active campaigns have been confirmed, the availability of the vulnerability details makes it a potential target for opportunistic attackers. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept exploits are likely to emerge given the ease of exploitation.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-2160 is to upgrade to a patched version of SourceCodester Simple Responsive Tourism Website. As a temporary workaround, input validation and sanitization should be implemented on the 'Title' parameter in /tourism/classes/Master.php?f=save_package to prevent the injection of malicious scripts. Web application firewalls (WAFs) can be configured to filter out requests containing suspicious JavaScript code. Regularly review and update the website's code to address potential vulnerabilities.
Update to a patched version or apply necessary security measures to prevent code injection (XSS). Validate and sanitize user inputs, especially the 'Title' field, before displaying them on the web page.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-2160 is a cross-site scripting (XSS) vulnerability in SourceCodester Simple Responsive Tourism Website version 1.0, allowing attackers to inject malicious scripts via the 'Title' parameter.
If you are using SourceCodester Simple Responsive Tourism Website version 1.0, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as possible.
The recommended fix is to upgrade to a patched version of the SourceCodester Simple Responsive Tourism Website. Implement input validation as a temporary workaround.
While no active campaigns have been confirmed, the public disclosure of the vulnerability increases the risk of exploitation.
Refer to the SourceCodester website or their official communication channels for the latest advisory regarding CVE-2026-2160.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.