Plataforma
php
Componente
cve_choco_5
Corrigido em
1.0.1
CVE-2026-2159 describes a cross-site scripting (XSS) vulnerability discovered in SourceCodester Simple Responsive Tourism Website version 1.0. This flaw allows an attacker to inject malicious scripts into the website, potentially stealing user data or performing actions on their behalf. The vulnerability resides within the registration process, specifically in the handling of firstname, lastname, and username parameters. A patch is expected to address this issue.
Successful exploitation of CVE-2026-2159 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser. This can lead to a variety of malicious outcomes, including session hijacking, defacement of the website, and redirection to phishing sites. The attacker could potentially harvest sensitive user information, such as login credentials or personal details. Given the tourism-focused nature of the website, data like booking information and payment details could also be at risk. The remote accessibility of the vulnerability significantly broadens the potential attack surface.
A public proof-of-concept (PoC) for CVE-2026-2159 has been published, indicating a relatively high likelihood of exploitation. The vulnerability was disclosed on 2026-02-08. It is not currently listed on CISA KEV, but its ease of exploitation warrants monitoring. Active campaigns targeting this vulnerability are possible given the availability of the PoC.
Small and medium-sized businesses utilizing SourceCodester Simple Responsive Tourism Website version 1.0 for their online booking and tourism services are particularly at risk. Shared hosting environments where multiple websites share the same server resources are also vulnerable, as a compromise of one site could potentially impact others.
• php / web:
curl -I 'http://your-website.com/tourism/classes/Master.php?f=register&firstname=<script>alert(1)</script>' | grep HTTP/1.1• generic web:
grep -i 'firstname=<script' /var/log/apache2/access.logdisclosure
Status do Exploit
EPSS
0.01% (percentil 3%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2026-2159 is to upgrade to a patched version of SourceCodester Simple Responsive Tourism Website as soon as it becomes available. Until an upgrade is possible, consider implementing input validation and sanitization on the firstname, lastname, and username parameters within the /tourism/classes/Master.php?f=register file. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide a layer of protection. Regularly review and update server-side code to prevent similar vulnerabilities from arising.
Atualizar para uma versão corrigida do software. Se nenhuma versão estiver disponível, recomenda-se sanitizar as entradas dos campos firstname, lastname e username para evitar a injeção de código malicioso.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-2159 is a cross-site scripting (XSS) vulnerability affecting SourceCodester Simple Responsive Tourism Website version 1.0, allowing attackers to inject malicious scripts.
If you are using SourceCodester Simple Responsive Tourism Website version 1.0, you are potentially affected by this vulnerability. Upgrade as soon as a patch is available.
The recommended fix is to upgrade to a patched version of SourceCodester Simple Responsive Tourism Website. Until then, implement input validation and WAF rules.
A public proof-of-concept exists, suggesting a high probability of exploitation. Monitor your systems and implement mitigations.
Refer to the SourceCodester website and relevant security forums for updates and advisories regarding CVE-2026-2159.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.