EUVD-2026-21855
GHSA-rqvj-x8vr-qv55
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
9DescriptionCVE.org
A vulnerability has been found in PHPGurukul Company Visitor Management System 2.0. This impacts an unknown function of the file /bwdates-reports-details.php. The manipulation of the argument fromdate leads to cross site scripting. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
Reflected cross-site scripting (XSS) in PHPGurukul Company Visitor Management System 2.0 allows authenticated remote attackers to inject malicious scripts via the fromdate parameter in /bwdates-reports-details.php. The vulnerability requires user interaction (UI:P) and authenticated access (PR:L), but publicly available exploit code exists, elevating practical risk despite the moderate CVSS score of 5.1.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Risk Assessment | While the CVSS v4.0 base score of 5.1 is moderate, the real-world risk is elevated by several factors. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with knowledge of the vulnerability crafts a malicious URL containing JavaScript in the fromdate parameter (e.g., /bwdates-reports-details.php?fromdate=<script>fetch('/steal-session?c='+document.cookie)</script>) and shares it via email or social engineering targeting employees of an organization using the Visitor Management System. When an authenticated user clicks the link while logged in, the JavaScript executes in their browser, stealing their session cookie or redirecting them to a credential harvesting page. … |
| Remediation | The primary remediation is to upgrade to a patched version released by PHPGurukul; however, no specific patched version number has been independently confirmed in available data. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today