Platform
php
Opgelost in
1.0.1
A cross-site scripting (XSS) vulnerability has been identified in isourcecode Society Management System version 1.0. This flaw resides within the /admin/activity.php file and allows attackers to inject malicious scripts through manipulation of the Title argument. Successful exploitation could lead to session hijacking or defacement of the application. The vulnerability was publicly disclosed on 2026-01-19 and a proof-of-concept is available.
The XSS vulnerability in isourcecode Society Management System allows an attacker to inject arbitrary JavaScript code into the application. This code will then be executed in the context of the user's browser when they access the affected page. An attacker could leverage this to steal session cookies, redirect users to malicious websites, or deface the application. The remote nature of the vulnerability means it can be exploited from anywhere with network access to the Society Management System. Given the availability of a public proof-of-concept, the risk of exploitation is considered high.
CVE-2026-1135 is publicly known with a proof-of-concept available, indicating a high probability of exploitation. It was disclosed on 2026-01-19. The vulnerability is not currently listed on CISA KEV, but its public nature warrants close monitoring. Active exploitation campaigns are possible given the ease of exploitation.
Organizations using isourcecode Society Management System version 1.0, particularly those with publicly accessible administration interfaces, are at risk. Shared hosting environments where multiple users share the same instance of the software are especially vulnerable, as an attacker could potentially compromise other users' accounts.
• generic web:
curl -I <affected_url>/admin/activity.php?Title=<xss_payload>• generic web:
grep -i "<xss_payload>" /var/log/apache2/access.logdisclosure
Exploit Status
EPSS
0.01% (3% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2026-1135 is to upgrade to a patched version of isourcecode Society Management System. As no fixed version is currently available, implement temporary workarounds to reduce the risk. These include implementing strict input validation on the Title parameter in /admin/activity.php, sanitizing user-supplied data, and deploying a Web Application Firewall (WAF) with rules to block XSS attacks. Consider implementing Content Security Policy (CSP) to restrict the sources from which scripts can be executed.
Actualiseer naar een gepatchte versie van de software. Indien er geen gepatchte versie beschikbaar is, wordt aanbevolen de software uit te schakelen of te verwijderen totdat een oplossing is gepubliceerd.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-1135 is a cross-site scripting (XSS) vulnerability affecting isourcecode Society Management System version 1.0, allowing attackers to inject malicious scripts via the /admin/activity.php file.
If you are using isourcecode Society Management System version 1.0, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as it becomes available.
Upgrade to a patched version of isourcecode Society Management System. Until a patch is available, implement input validation and WAF rules to mitigate the risk.
A proof-of-concept is publicly available, indicating a high probability of exploitation. Monitor your systems closely for suspicious activity.
Please refer to the isourcecode website or security mailing lists for the official advisory regarding CVE-2026-1135.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.