プラットフォーム
php
修正版
1.0.1
A cross-site scripting (XSS) vulnerability has been identified in isourcecode Society Management System version 1.0. This flaw resides within the /admin/activity.php file and allows attackers to inject malicious scripts through manipulation of the Title argument. Successful exploitation could lead to session hijacking or defacement of the application. The vulnerability was publicly disclosed on 2026-01-19 and a proof-of-concept is available.
The XSS vulnerability in isourcecode Society Management System allows an attacker to inject arbitrary JavaScript code into the application. This code will then be executed in the context of the user's browser when they access the affected page. An attacker could leverage this to steal session cookies, redirect users to malicious websites, or deface the application. The remote nature of the vulnerability means it can be exploited from anywhere with network access to the Society Management System. Given the availability of a public proof-of-concept, the risk of exploitation is considered high.
CVE-2026-1135 is publicly known with a proof-of-concept available, indicating a high probability of exploitation. It was disclosed on 2026-01-19. The vulnerability is not currently listed on CISA KEV, but its public nature warrants close monitoring. Active exploitation campaigns are possible given the ease of exploitation.
Organizations using isourcecode Society Management System version 1.0, particularly those with publicly accessible administration interfaces, are at risk. Shared hosting environments where multiple users share the same instance of the software are especially vulnerable, as an attacker could potentially compromise other users' accounts.
• generic web:
curl -I <affected_url>/admin/activity.php?Title=<xss_payload>• generic web:
grep -i "<xss_payload>" /var/log/apache2/access.logdisclosure
エクスプロイト状況
EPSS
0.01% (3% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-1135 is to upgrade to a patched version of isourcecode Society Management System. As no fixed version is currently available, implement temporary workarounds to reduce the risk. These include implementing strict input validation on the Title parameter in /admin/activity.php, sanitizing user-supplied data, and deploying a Web Application Firewall (WAF) with rules to block XSS attacks. Consider implementing Content Security Policy (CSP) to restrict the sources from which scripts can be executed.
パッチが適用されたソフトウェアのバージョンにアップデートしてください。パッチが適用されたバージョンが利用できない場合は、修正プログラムが公開されるまでソフトウェアを無効化または削除することをお勧めします。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-1135 is a cross-site scripting (XSS) vulnerability affecting isourcecode Society Management System version 1.0, allowing attackers to inject malicious scripts via the /admin/activity.php file.
If you are using isourcecode Society Management System version 1.0, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as it becomes available.
Upgrade to a patched version of isourcecode Society Management System. Until a patch is available, implement input validation and WAF rules to mitigate the risk.
A proof-of-concept is publicly available, indicating a high probability of exploitation. Monitor your systems closely for suspicious activity.
Please refer to the isourcecode website or security mailing lists for the official advisory regarding CVE-2026-1135.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。