Platform
php
Component
simple-customer-relationship-management-system
Fixed in
1.0.1
CVE-2026-5325 is a cross-site scripting (XSS) vulnerability identified in SourceCodester Simple Customer Relationship Management System versions 1.0. This vulnerability allows an attacker to inject malicious scripts through manipulation of the Description argument within the /create-ticket.php file. Successful exploitation could lead to data theft, session hijacking, or defacement of the application. The vulnerability is publicly disclosed and poses a potential risk to users.
The XSS vulnerability in Simple Customer Relationship Management System allows an attacker to inject arbitrary JavaScript code into the application. This code can then be executed in the context of a user's browser when they visit a page containing the injected script. An attacker could leverage this to steal session cookies, redirect users to malicious websites, or modify the content of the application. The impact is amplified if the application is used to store sensitive customer data, as an attacker could potentially access or modify this information. The publicly disclosed nature of this vulnerability increases the likelihood of exploitation.
CVE-2026-5325 has been publicly disclosed, increasing the risk of exploitation. The vulnerability is rated as LOW severity according to CVSS. Public proof-of-concept exploits are likely to emerge given the disclosure. No KEV listing or confirmed exploitation campaigns are currently known as of the publication date.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-5325 is to upgrade to a patched version of Simple Customer Relationship Management System. Since a fixed version is not specified, consider reverting to a previous known-good version if upgrading causes instability. As a temporary workaround, implement strict input validation and output encoding on the Description field in /create-ticket.php to sanitize user-supplied data. Consider using a Web Application Firewall (WAF) with XSS filtering rules to block malicious requests. Verify the fix by attempting to inject a simple JavaScript payload (e.g., <script>alert('XSS')</script>) through the Description field after applying the mitigation.
Update to a patched version of the CRM system. Contact the vendor for a patch or an updated version that addresses the Cross-Site Scripting (XSS) vulnerability in the create-ticket.php file.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-5325 is a cross-site scripting (XSS) vulnerability in Simple Customer Relationship Management System version 1.0, allowing attackers to inject malicious scripts via the Description field in /create-ticket.php.
You are affected if you are using Simple Customer Relationship Management System version 1.0 and have not applied a patch or implemented mitigating controls.
Upgrade to a patched version of Simple Customer Relationship Management System. If a patch is unavailable, implement input validation and output encoding, and consider a WAF.
While no confirmed exploitation campaigns are currently known, the vulnerability is publicly disclosed, increasing the likelihood of exploitation.
Refer to the SourceCodester website or relevant security forums for updates and advisories regarding CVE-2026-5325.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.