Platform
php
Opgelost in
1.0.1
A cross-site scripting (XSS) vulnerability has been identified in projectworlds House Rental and Property Listing version 1.0. This flaw resides within the /app/sms.php file and allows attackers to inject malicious scripts via manipulation of the Message argument. Successful exploitation could lead to session hijacking or defacement of the application, impacting users of this property listing platform.
The XSS vulnerability in House Rental and Property Listing allows an attacker to inject arbitrary JavaScript code into the application. This code can then be executed in the context of a user's browser when they visit a page containing the injected script. Attackers could leverage this to steal session cookies, redirect users to malicious websites, or deface the application. The public availability of the exploit significantly increases the risk of widespread exploitation, particularly given the potential for automated scanning and exploitation attempts. The impact is amplified if the application handles sensitive user data, such as personal information or financial details.
The exploit for CVE-2026-1700 has been publicly disclosed, indicating a higher probability of exploitation. The vulnerability is not currently listed on CISA KEV. Given the public availability of the exploit and the relatively simple nature of the XSS attack, it is likely that automated scanning tools are already targeting vulnerable instances. Monitor logs for suspicious activity and implement proactive detection measures.
Organizations and individuals using projectworlds House Rental and Property Listing version 1.0, particularly those hosting the application on shared hosting environments or without robust security monitoring, are at increased risk. Users who interact with the application's SMS functionality are also directly exposed.
• php / server:
grep -r "Message = " /app/sms.php• generic web:
curl -I <property listing URL with potentially malicious Message parameter>• generic web: Examine access logs for requests containing suspicious characters in the Message parameter.
disclosure
Exploit Status
EPSS
0.01% (1% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2026-1700 is to upgrade to a patched version of House Rental and Property Listing. Since no fixed version is specified, immediate action is crucial. As a temporary workaround, implement strict input validation on the Message argument in /app/sms.php, ensuring that only expected characters are allowed. Employ output encoding to sanitize any user-supplied data before rendering it in the browser. Consider implementing a Web Application Firewall (WAF) with XSS filtering rules to block malicious requests. Regularly review and update security configurations.
Werk bij naar een gepatchte versie of pas de benodigde beveiligingsmaatregelen toe om het injecteren van kwaadaardige code via de parameter 'Message' in het bestand sms.php te voorkomen. Valideer en reinig gebruikersinvoer om Cross-Site Scripting (XSS) aanvallen te voorkomen.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-1700 is a cross-site scripting (XSS) vulnerability in projectworlds House Rental and Property Listing version 1.0, affecting the /app/sms.php file. Attackers can inject malicious scripts by manipulating the Message argument.
You are affected if you are using projectworlds House Rental and Property Listing version 1.0 and have not applied a patch or implemented mitigating controls.
Upgrade to a patched version of House Rental and Property Listing. As a temporary workaround, implement input validation and output encoding on the Message argument in /app/sms.php.
Due to the public availability of the exploit, CVE-2026-1700 is likely being actively exploited, or is at high risk of exploitation.
Refer to projectworlds' official website or security channels for the advisory related to CVE-2026-1700.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.