Skip to main content

Safety Anger Pad CVE-2026-7230

| EUVDEUVD-2026-25999 LOW
Cross-site Scripting (XSS) (CWE-79)
2026-04-28 VulDB
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

7
Severity Changed
Apr 29, 2026 - 01:12 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:12 NVD
5.3 (MEDIUM) 2.1 (LOW)
CVSS changed
Apr 28, 2026 - 07:22 NVD
4.3 (MEDIUM) 5.3 (MEDIUM)
Analysis Generated
Apr 28, 2026 - 06:45 vuln.today
EUVD ID Assigned
Apr 28, 2026 - 06:30 euvd
EUVD-2026-25999
Analysis Generated
Apr 28, 2026 - 06:30 vuln.today
CVE Published
Apr 28, 2026 - 05:45 nvd
LOW 2.1

DescriptionCVE.org

A vulnerability was found in SourceCodester Safety Anger Pad 1.0. The affected element is an unknown function. The manipulation of the argument angerDisplay results in cross site scripting. The attack may be performed from remote. The exploit has been made public and could be used.

AnalysisAI

Stored or reflected cross-site scripting (XSS) in SourceCodester Safety Anger Pad 1.0 allows remote unauthenticated attackers to inject malicious scripts via the angerDisplay parameter, potentially compromising user sessions and stealing sensitive data. The vulnerability requires user interaction (UI:R per CVSS) but has publicly available exploit code and a moderate CVSS score of 4.3, making it a practical attack vector for credential harvesting or malware distribution.

Technical ContextAI

The vulnerability is rooted in improper input validation and output encoding of the angerDisplay parameter (CWE-79: Improper Neutralization of Input During Web Page Generation). The Safety Anger Pad application fails to sanitize or encode user-supplied input before rendering it in a web response, allowing attackers to inject arbitrary HTML/JavaScript. This is a classic web application flaw where user-controlled data flows directly into the DOM without security filtering. The attack vector is network-based (AV:N) with low complexity (AC:L), indicating the vulnerability can be exploited via standard HTTP requests without specialized techniques.

RemediationAI

Apply any available security update from SourceCodester at https://www.sourcecodester.com/. As no specific patched version is confirmed in the provided data, contact the vendor directly or check their downloads page for the latest release. Immediate workarounds include: (1) Implement server-side input validation and HTML entity encoding on the angerDisplay parameter before rendering to users; (2) Deploy a Web Application Firewall (WAF) rule to block common XSS payloads in the angerDisplay parameter; (3) Add Content Security Policy (CSP) headers to prevent inline script execution, which mitigates reflected XSS impact even if the injection succeeds. The WAF approach has minimal performance overhead but requires rule maintenance; CSP provides defense-in-depth but may break legitimate functionality if not tuned carefully. Until patched, restrict Safety Anger Pad access to trusted internal networks only if it handles sensitive data.

Share

CVE-2026-7230 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy