Is there a public PoC exploit available for CVE-2026-5209?

Yes, a public proof-of-concept exploit is available for CVE-2026-5209. Prioritise patching immediately. EPSS: 0.0%.

Leave Application System CVE-2026-5209

Q: What is the CVSS score of CVE-2026-5209?

CVE-2026-5209 has a CVSS 4.0 base score of 1.9 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-17587 LOW

Cross-site Scripting (XSS) (CWE-79)

2026-03-31 VulDB

XSS Leave Application System

1.9

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

1.9 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

Scope

Lifecycle Timeline

Severity Changed

Apr 29, 2026 - 01:11 NVD

MEDIUM LOW

CVSS changed

Apr 29, 2026 - 01:11 NVD

4.8 (MEDIUM) 1.9 (LOW)

PoC Detected

Apr 01, 2026 - 14:23 vuln.today

Public exploit code

EUVD ID Assigned

Mar 31, 2026 - 19:01 euvd

EUVD-2026-17587

Analysis Generated

Mar 31, 2026 - 19:01 vuln.today

CVE Published

Mar 31, 2026 - 18:30 nvd

MEDIUM 4.8

DescriptionCVE.org

A security vulnerability has been detected in SourceCodester Leave Application System 1.0. Affected by this issue is some unknown functionality of the component User Management Handler. Such manipulation leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed publicly and may be used.

AnalysisAI

Stored cross-site scripting (XSS) in SourceCodester Leave Application System 1.0 User Management Handler allows authenticated remote attackers with high privileges to inject malicious scripts via the component, requiring user interaction to execute. The vulnerability carries a CVSS 4.8 score with publicly available exploit code; however, real-world risk is constrained by high privilege requirement (PR:H) and necessary user interaction (UI:P), limiting opportunistic exploitation.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	The CVSS 4.8 score reflects a low-to-moderate severity rating justified by multiple constraints: the attack requires high privilege level (PR:H), necessitates user interaction (UI:P), and produces only integrity impact (VI:L) with no confidentiality or availability consequences. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An authenticated administrator with high privileges could inject malicious JavaScript code (e.g., session stealing or credential harvesting) through the User Management Handler form fields. When other users or administrators view the affected records in the application, the stored XSS payload executes in their browser context without further authentication. …
Remediation	Organizations should immediately upgrade to a patched version of SourceCodester Leave Application System beyond version 1.0, though a specific remediated version number is not independently confirmed in available data. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-5209 vulnerability details – vuln.today

Back