Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionCVE.org
A security flaw has been discovered in code-projects Employee Management System 1.0. This issue affects some unknown processing of the file 370project/mark.php. Performing a manipulation results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks.
AnalysisAI
Cross-site scripting (XSS) in code-projects Employee Management System 1.0 allows remote attackers to inject malicious scripts via manipulation of the file 370project/mark.php. The vulnerability requires user interaction (UI:R) but can be exploited over the network without authentication. Publicly available exploit code exists and the flaw has moderate impact on integrity (CVSS 4.3).
Technical ContextAI
This is a reflected or stored cross-site scripting vulnerability (CWE-79) in a PHP-based employee management application. The vulnerable endpoint is 370project/mark.php, which fails to properly sanitize or encode user-supplied input before rendering it in HTML context. The attack vector is network-based (AV:N) with low complexity (AC:L), meaning the attacker does not need to overcome any special technical barriers. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), a common flaw in web applications that do not implement output encoding or input validation.
RemediationAI
Upgrade code-projects Employee Management System to a patched version released by the vendor - consult the official code-projects.org website for the latest security release. If immediate upgrade is not possible, implement input validation and output encoding on the mark.php endpoint: ensure all user inputs are validated against a whitelist of expected characters and properly HTML-encode all data before rendering in web pages. Additionally, configure your web application firewall (WAF) to detect and block XSS payloads targeting the 370project/mark.php endpoint. As a compensating control, restrict access to the employee management system to authenticated users within your organization and deploy Content Security Policy (CSP) headers to mitigate the impact of any injected scripts. Note that restricting access reduces attacker reach but does not eliminate the risk if internal users are social-engineered.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25830