Platform
php
Component
silver-guide
Opgelost in
1.0.1
CVE-2026-2214 describes a cross-site scripting (XSS) vulnerability within the code-projects Plugin, specifically impacting version 1.0. This flaw allows attackers to inject malicious scripts via manipulation of the txtalbum argument within the /Administrator/PHP/AdminAddAlbum.php file. The vulnerability is remotely exploitable and a public proof-of-concept is available, highlighting the potential for immediate exploitation.
Successful exploitation of CVE-2026-2214 allows an attacker to execute arbitrary JavaScript code within the context of a victim's browser session. This can lead to various malicious outcomes, including session hijacking, defacement of the affected website, and redirection to phishing sites. The attacker could steal sensitive user data, such as login credentials or personal information. Given the public availability of an exploit, the risk of immediate exploitation is significant, potentially impacting website administrators and users alike.
CVE-2026-2214 has a CVSS score of 2.4 (LOW). A public proof-of-concept exploit is available, indicating a relatively low barrier to entry for attackers. The vulnerability was disclosed on 2026-02-09. No KEV listing or confirmed exploitation campaigns are currently known.
Administrators and users of websites utilizing the code-projects Plugin version 1.0 are at risk. Shared hosting environments where multiple websites share the same server resources are particularly vulnerable, as a compromise of one site could potentially lead to the compromise of others.
• php / server:
grep -r "txtalbum = $_POST['txtalbum']" /var/www/html/code-projects/Plugin/• generic web:
curl -I http://your-website.com/Administrator/PHP/AdminAddAlbum.php?txtalbum=<script>alert(1)</script>disclosure
Exploit Status
EPSS
0.03% (10% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2026-2214 is to upgrade to a patched version of the code-projects Plugin. Since a fixed version isn't specified, thoroughly review the plugin's official website or repository for updates. As a temporary workaround, implement strict input validation and output encoding on the txtalbum parameter within the /Administrator/PHP/AdminAddAlbum.php file to sanitize user-supplied data. Consider using a Web Application Firewall (WAF) with XSS filtering rules to block malicious requests. After applying the mitigation, verify the fix by attempting to inject a simple XSS payload (e.g., <script>alert(1)</script>) through the txtalbum field and confirming that it is properly sanitized.
Werk de plugin bij naar een gecorrigeerde versie die gebruikersinvoer correct filtert om Cross-Site Scripting (XSS) aanvallen te voorkomen. Indien er geen gecorrigeerde versie beschikbaar is, deactiveer of verwijder de plugin totdat een update is gepubliceerd.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-2214 is a cross-site scripting (XSS) vulnerability in code-projects Plugin version 1.0, allowing attackers to inject malicious scripts via the txtalbum parameter.
If you are using code-projects Plugin version 1.0, you are potentially affected. Upgrade to a patched version as soon as possible.
Upgrade to a patched version of the plugin. If a patch isn't available, implement input validation and output encoding on the txtalbum parameter.
A public proof-of-concept exploit exists, suggesting a potential for active exploitation.
Refer to the code-projects Plugin's official website or repository for the latest security advisories and updates.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.