Platform
php
Opgelost in
1.0.1
A cross-site scripting (XSS) vulnerability has been identified in the Online Product Reservation System version 1.0. This flaw allows attackers to inject malicious scripts into the application, potentially leading to session hijacking or defacement. The vulnerability resides within an unknown function of the handgunner-administrator/prod.php file. A fix is available, and immediate action is advised.
Successful exploitation of CVE-2026-0586 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to a variety of malicious actions, including stealing session cookies, redirecting users to phishing sites, or modifying the content of the web page. The remote nature of the vulnerability means that an attacker does not need to be on the same network as the target system to exploit it. Given the public availability of an exploit, the risk of immediate exploitation is high.
The exploit for CVE-2026-0586 is publicly available, significantly increasing the likelihood of exploitation. The vulnerability has been added to the NVD database on 2026-01-05. Due to the ease of exploitation and public availability of the exploit, the probability of exploitation is considered high. No KEV listing or confirmed active campaigns are currently known.
Organizations using the Online Product Reservation System version 1.0 are at risk, particularly those with publicly accessible instances. Shared hosting environments are especially vulnerable, as a compromised account on one site could potentially be used to exploit this vulnerability on other sites hosted on the same server.
• generic web:
curl -I 'http://your-target-domain.com/handgunner-administrator/prod.php?cat=<script>alert(1)</script>' | grep -i 'content-type: text/html'• generic web:
curl 'http://your-target-domain.com/handgunner-administrator/prod.php?cat=<script>alert(1)</script>' | grep 'alert(1)'disclosure
Exploit Status
EPSS
0.07% (21% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2026-0586 is to upgrade to a patched version of the Online Product Reservation System. If upgrading is not immediately possible, implement a Web Application Firewall (WAF) rule to filter out requests containing suspicious characters in the 'cat' parameter of the prod.php endpoint. Input validation on the server-side, specifically sanitizing user-supplied input before rendering it in the browser, is also crucial. Carefully review the code in handgunner-administrator/prod.php for other potential vulnerabilities. After upgrade, confirm by attempting to inject a simple XSS payload (e.g., <script>alert(1)</script>) via the 'cat' parameter; it should be properly sanitized or rejected.
Werk bij naar een gepatchte versie of implementeer invoer-saneringsmaatregelen voor de variabele 'cat' in het bestand prod.php om de uitvoering van XSS-code te voorkomen. Valideer en escape gebruikersinvoer voordat deze op de webpagina wordt weergegeven.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-0586 is a cross-site scripting vulnerability affecting the Online Product Reservation System version 1.0, allowing attackers to inject malicious scripts via the 'cat' parameter in prod.php.
You are affected if you are using Online Product Reservation System version 1.0 and have not applied the available patch. Check your version and upgrade immediately.
Upgrade to a patched version of the Online Product Reservation System. If upgrading is not possible, implement a WAF rule to filter malicious input and perform server-side input validation.
Due to the public availability of an exploit, CVE-2026-0586 is likely being actively exploited. Prompt mitigation is crucial.
Refer to the vendor's website or security advisories for the Online Product Reservation System for the official advisory regarding CVE-2026-0586.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.