Plateforme
php
Composant
cve_choco_5
Corrigé dans
1.0.1
CVE-2026-2159 describes a cross-site scripting (XSS) vulnerability discovered in SourceCodester Simple Responsive Tourism Website version 1.0. This flaw allows an attacker to inject malicious scripts into the website, potentially stealing user data or performing actions on their behalf. The vulnerability resides within the registration process, specifically in the handling of firstname, lastname, and username parameters. A patch is expected to address this issue.
Successful exploitation of CVE-2026-2159 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser. This can lead to a variety of malicious outcomes, including session hijacking, defacement of the website, and redirection to phishing sites. The attacker could potentially harvest sensitive user information, such as login credentials or personal details. Given the tourism-focused nature of the website, data like booking information and payment details could also be at risk. The remote accessibility of the vulnerability significantly broadens the potential attack surface.
A public proof-of-concept (PoC) for CVE-2026-2159 has been published, indicating a relatively high likelihood of exploitation. The vulnerability was disclosed on 2026-02-08. It is not currently listed on CISA KEV, but its ease of exploitation warrants monitoring. Active campaigns targeting this vulnerability are possible given the availability of the PoC.
Small and medium-sized businesses utilizing SourceCodester Simple Responsive Tourism Website version 1.0 for their online booking and tourism services are particularly at risk. Shared hosting environments where multiple websites share the same server resources are also vulnerable, as a compromise of one site could potentially impact others.
• php / web:
curl -I 'http://your-website.com/tourism/classes/Master.php?f=register&firstname=<script>alert(1)</script>' | grep HTTP/1.1• generic web:
grep -i 'firstname=<script' /var/log/apache2/access.logdisclosure
Statut de l'Exploit
EPSS
0.01% (percentile 3%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-2159 is to upgrade to a patched version of SourceCodester Simple Responsive Tourism Website as soon as it becomes available. Until an upgrade is possible, consider implementing input validation and sanitization on the firstname, lastname, and username parameters within the /tourism/classes/Master.php?f=register file. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide a layer of protection. Regularly review and update server-side code to prevent similar vulnerabilities from arising.
Mettre à jour vers une version corrigée du logiciel. Si aucune version n'est disponible, il est recommandé de nettoyer les entrées des champs firstname, lastname et username afin d'éviter l'injection de code malveillant.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-2159 is a cross-site scripting (XSS) vulnerability affecting SourceCodester Simple Responsive Tourism Website version 1.0, allowing attackers to inject malicious scripts.
If you are using SourceCodester Simple Responsive Tourism Website version 1.0, you are potentially affected by this vulnerability. Upgrade as soon as a patch is available.
The recommended fix is to upgrade to a patched version of SourceCodester Simple Responsive Tourism Website. Until then, implement input validation and WAF rules.
A public proof-of-concept exists, suggesting a high probability of exploitation. Monitor your systems and implement mitigations.
Refer to the SourceCodester website and relevant security forums for updates and advisories regarding CVE-2026-2159.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.