Plateforme
php
Composant
silver-guide
Corrigé dans
1.0.1
CVE-2026-2214 describes a cross-site scripting (XSS) vulnerability within the code-projects Plugin, specifically impacting version 1.0. This flaw allows attackers to inject malicious scripts via manipulation of the txtalbum argument within the /Administrator/PHP/AdminAddAlbum.php file. The vulnerability is remotely exploitable and a public proof-of-concept is available, highlighting the potential for immediate exploitation.
Successful exploitation of CVE-2026-2214 allows an attacker to execute arbitrary JavaScript code within the context of a victim's browser session. This can lead to various malicious outcomes, including session hijacking, defacement of the affected website, and redirection to phishing sites. The attacker could steal sensitive user data, such as login credentials or personal information. Given the public availability of an exploit, the risk of immediate exploitation is significant, potentially impacting website administrators and users alike.
CVE-2026-2214 has a CVSS score of 2.4 (LOW). A public proof-of-concept exploit is available, indicating a relatively low barrier to entry for attackers. The vulnerability was disclosed on 2026-02-09. No KEV listing or confirmed exploitation campaigns are currently known.
Administrators and users of websites utilizing the code-projects Plugin version 1.0 are at risk. Shared hosting environments where multiple websites share the same server resources are particularly vulnerable, as a compromise of one site could potentially lead to the compromise of others.
• php / server:
grep -r "txtalbum = $_POST['txtalbum']" /var/www/html/code-projects/Plugin/• generic web:
curl -I http://your-website.com/Administrator/PHP/AdminAddAlbum.php?txtalbum=<script>alert(1)</script>disclosure
Statut de l'Exploit
EPSS
0.03% (percentile 10%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-2214 is to upgrade to a patched version of the code-projects Plugin. Since a fixed version isn't specified, thoroughly review the plugin's official website or repository for updates. As a temporary workaround, implement strict input validation and output encoding on the txtalbum parameter within the /Administrator/PHP/AdminAddAlbum.php file to sanitize user-supplied data. Consider using a Web Application Firewall (WAF) with XSS filtering rules to block malicious requests. After applying the mitigation, verify the fix by attempting to inject a simple XSS payload (e.g., <script>alert(1)</script>) through the txtalbum field and confirming that it is properly sanitized.
Mettre à jour le plugin vers une version corrigée qui filtre correctement les entrées utilisateur afin d'éviter les attaques de Cross-Site Scripting (XSS). Si aucune version corrigée n'est disponible, désactivez ou désinstallez le plugin jusqu'à ce qu'une mise à jour soit publiée.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-2214 is a cross-site scripting (XSS) vulnerability in code-projects Plugin version 1.0, allowing attackers to inject malicious scripts via the txtalbum parameter.
If you are using code-projects Plugin version 1.0, you are potentially affected. Upgrade to a patched version as soon as possible.
Upgrade to a patched version of the plugin. If a patch isn't available, implement input validation and output encoding on the txtalbum parameter.
A public proof-of-concept exploit exists, suggesting a potential for active exploitation.
Refer to the code-projects Plugin's official website or repository for the latest security advisories and updates.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.