Platform
php
Component
cvesmarz
Fixed in
1.0.1
A cross-site scripting (XSS) vulnerability has been identified in BloodBank Managing System version 1.0. This flaw resides within the /admin_state.php file and allows attackers to inject malicious scripts by manipulating the statename argument. Successful exploitation could lead to session hijacking, data theft, or defacement of the application. The vulnerability has been publicly disclosed.
The XSS vulnerability in BloodBank Managing System allows an attacker to execute arbitrary JavaScript code within the context of a user's browser. This can be leveraged to steal session cookies, redirect users to malicious websites, or inject content that appears to be legitimate, tricking users into revealing sensitive information. The remote nature of the exploit means an attacker does not need local access to the system. Given the sensitive nature of data potentially managed by a blood bank system (patient records, donor information), the impact could be significant, leading to privacy breaches and reputational damage.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. The lack of a specified fixed version suggests the vendor may not have released a patch yet, making systems running version 1.0 particularly vulnerable. No KEV listing or confirmed exploitation campaigns are currently known, but the public disclosure warrants immediate attention.
Exploit Status
EPSS
0.03% (10% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-5240 is to upgrade to a patched version of BloodBank Managing System. Since a fixed version is not specified, immediate action is crucial. As a temporary workaround, implement strict input validation and sanitization on the statename parameter within /admin_state.php. A Web Application Firewall (WAF) can be configured to block requests containing suspicious characters or patterns in the statename parameter. Regularly review and update WAF rules to adapt to evolving attack techniques. After implementing mitigations, thoroughly test the application to ensure functionality remains intact and the vulnerability is effectively neutralized.
Update to a patched version or apply the necessary security measures to prevent cross site scripting (XSS) code injection. Validate and sanitize user inputs, especially the 'statename' parameter in the 'admin_state.php' file.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-5240 is a cross-site scripting (XSS) vulnerability in BloodBank Managing System version 1.0, allowing attackers to inject malicious scripts via the 'statename' parameter in /admin_state.php.
If you are running BloodBank Managing System version 1.0 and have not applied a patch, you are likely affected. Immediate action is recommended.
Upgrade to a patched version of BloodBank Managing System. If a patch is unavailable, implement input sanitization and WAF rules as temporary mitigations.
While no confirmed exploitation campaigns are currently known, the vulnerability has been publicly disclosed, increasing the risk of exploitation.
Refer to the BloodBank Managing System vendor's website or security advisory page for the latest information and official guidance.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.