Skip to main content

PHP CVE-2026-5010

| EUVDEUVD-2026-16660 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-03-27 INCIBE GHSA-jcp9-3x5h-m222
5.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Mar 27, 2026 - 14:45 euvd
EUVD-2026-16660
Analysis Generated
Mar 27, 2026 - 14:45 vuln.today
Patch released
Mar 27, 2026 - 14:45 nvd
Patch available
CVE Published
Mar 27, 2026 - 14:35 nvd
MEDIUM 5.1

DescriptionCVE.org

A reflected Cross-Site Scripting (XSS) vulnerability has been discovered in Clickedu. This vulnerability allows an attacker to execute JavaScript code in the victim’s browser by sending them a malicious URL using the endpoint “/user.php/”. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on the user’s behalf.

AnalysisAI

Clickedu contains a reflected XSS vulnerability in the /user.php/ endpoint that permits remote attackers to execute arbitrary JavaScript in a victim's browser via malicious URL parameters, enabling session hijacking, credential theft, and unauthorized actions. The vulnerability affects all versions of Sanoma's Clickedu product (per CPE cpe:2.3:a:sanoma:clickedu:*:*:*:*:*:*:*:*) and a vendor patch is available. No CVSS score or active exploitation data was provided; however, the reflected XSS attack vector combined with educational platform context indicates moderate to high real-world risk given typical user trust in institutional URLs.

Technical ContextAI

This vulnerability is rooted in CWE-79 (Improper Neutralization of Input During Web Page Generation), a classic reflected XSS flaw where user-supplied input via URL parameters is rendered in HTML responses without proper sanitization or encoding. The affected application is Sanoma's Clickedu (identified via CPE cpe:2.3:a:sanoma:clickedu:*:*:*:*:*:*:*:*), a PHP-based educational platform. The /user.php/ endpoint fails to validate, filter, or HTML-encode attacker-controlled input before reflecting it back to the client, allowing injection of malicious JavaScript that executes in the context of the victim's authenticated session within the Clickedu application. This is a client-side execution flaw in a server-side rendered PHP application, typical of web applications that do not implement Content Security Policy (CSP) or proper output encoding frameworks.

RemediationAI

Apply the vendor-released patch from Sanoma as documented in the INCIBE advisory (https://www.incibe.es/en/incibe-cert/notices/aviso/reflected-cross-site-scripting-xss-sanomas-clickedu-0). Until patching is completed, implement input validation and output encoding at the /user.php/ endpoint to neutralize XSS payloads-specifically, HTML-encode all user-supplied parameters before rendering them in HTTP responses, and implement a Content Security Policy (CSP) header to prevent inline script execution. For educational institutions unable to patch immediately, restrict access to Clickedu via a reverse proxy configured with HSTS headers and IP-based access controls from trusted networks only, and educate users not to click on Clickedu links from unsolicited messages.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-5010 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy