Plataforma
php
Componente
vehicle-showroom-management-system
Corregido en
1.0.1
CVE-2026-6034 describes a cross-site scripting (XSS) vulnerability discovered in the Vehicle Showroom Management System. This flaw allows an attacker to inject malicious scripts into the application, potentially leading to session hijacking or defacement. The vulnerability affects versions 1.0.0 through 1.0. A public exploit is available, increasing the risk of immediate exploitation.
Successful exploitation of CVE-2026-6034 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can be leveraged to steal sensitive information, such as session cookies, redirect users to malicious websites, or modify the content displayed on the Vehicle Showroom Management System. The impact is particularly severe if the application handles sensitive data like customer information or financial details. Given the availability of a public exploit, the blast radius is significant, potentially affecting all users of vulnerable installations.
CVE-2026-6034 has a public proof-of-concept available, indicating a high likelihood of exploitation. The vulnerability was disclosed on 2026-04-10. The availability of a public exploit significantly increases the risk of active campaigns targeting vulnerable installations. The CVSS score of 4.3 (Medium) reflects the potential impact and ease of exploitation.
Organizations utilizing the Vehicle Showroom Management System, particularly those with publicly accessible instances, are at risk. Shared hosting environments where multiple users share the same server instance are especially vulnerable, as an attacker could potentially compromise other users' accounts through this XSS vulnerability.
• php / generic web:
curl -s -X POST "http://<target>/BranchManagement/ProfitAndLossReport.php?BRANCH_ID=<script>alert(1)</script>" | grep "<script>alert(1)</script>"• generic web:
curl -I http://<target>/BranchManagement/ProfitAndLossReport.php?BRANCH_ID=<script>alert(1)</script>• generic web:
grep -i "<script>" /var/log/apache2/access.logdisclosure
Estado del Exploit
EPSS
0.03% (10% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2026-6034 is to upgrade to a patched version of the Vehicle Showroom Management System. If upgrading is not immediately feasible, implement a Web Application Firewall (WAF) rule to filter out malicious input targeting the BRANCH_ID parameter in /BranchManagement/ProfitAndLossReport.php. Specifically, block any requests containing suspicious characters or patterns within this parameter. Additionally, carefully review and sanitize all user-supplied input before rendering it in the application to prevent future XSS vulnerabilities. After applying mitigations, test the ProfitAndLossReport.php endpoint with various payloads to confirm the vulnerability is no longer exploitable.
Actualice el sistema Vehicle Showroom Management System a la última versión disponible para mitigar la vulnerabilidad de XSS. Verifique y sanee las entradas de usuario, especialmente el parámetro BRANCH_ID, para prevenir la inyección de código malicioso. Implemente medidas de codificación de salida para escapar los datos antes de mostrarlos en la página.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2026-6034 is a cross-site scripting (XSS) vulnerability in Vehicle Showroom Management System versions 1.0.0–1.0, allowing attackers to inject malicious scripts.
If you are using Vehicle Showroom Management System versions 1.0.0–1.0 and have not upgraded, you are potentially affected by this XSS vulnerability.
Upgrade to a patched version of Vehicle Showroom Management System. As a temporary workaround, implement a WAF rule to filter malicious input targeting the BRANCH_ID parameter.
Due to the availability of a public proof-of-concept, CVE-2026-6034 is likely being actively exploited.
Please refer to the official Vehicle Showroom Management System website or security channels for the advisory related to CVE-2026-6034.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.