Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
A vulnerability was found in SourceCodester Safety Anger Pad 1.0. The affected element is an unknown function. The manipulation of the argument angerDisplay results in cross site scripting. The attack may be performed from remote. The exploit has been made public and could be used.
AnalysisAI
Stored or reflected cross-site scripting (XSS) in SourceCodester Safety Anger Pad 1.0 allows remote unauthenticated attackers to inject malicious scripts via the angerDisplay parameter, potentially compromising user sessions and stealing sensitive data. The vulnerability requires user interaction (UI:R per CVSS) but has publicly available exploit code and a moderate CVSS score of 4.3, making it a practical attack vector for credential harvesting or malware distribution.
Technical ContextAI
The vulnerability is rooted in improper input validation and output encoding of the angerDisplay parameter (CWE-79: Improper Neutralization of Input During Web Page Generation). The Safety Anger Pad application fails to sanitize or encode user-supplied input before rendering it in a web response, allowing attackers to inject arbitrary HTML/JavaScript. This is a classic web application flaw where user-controlled data flows directly into the DOM without security filtering. The attack vector is network-based (AV:N) with low complexity (AC:L), indicating the vulnerability can be exploited via standard HTTP requests without specialized techniques.
RemediationAI
Apply any available security update from SourceCodester at https://www.sourcecodester.com/. As no specific patched version is confirmed in the provided data, contact the vendor directly or check their downloads page for the latest release. Immediate workarounds include: (1) Implement server-side input validation and HTML entity encoding on the angerDisplay parameter before rendering to users; (2) Deploy a Web Application Firewall (WAF) rule to block common XSS payloads in the angerDisplay parameter; (3) Add Content Security Policy (CSP) headers to prevent inline script execution, which mitigates reflected XSS impact even if the injection succeeds. The WAF approach has minimal performance overhead but requires rule maintenance; CSP provides defense-in-depth but may break legitimate functionality if not tuned carefully. Until patched, restrict Safety Anger Pad access to trusted internal networks only if it handles sensitive data.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25999