EUVD-2026-19032Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A vulnerability was found in code-projects Simple Laundry System 1.0. This issue affects some unknown processing of the file /modmemberinfo.php of the component Parameter Handler. Performing a manipulation of the argument userid results in cross site scripting. The attack may be initiated remotely. The exploit has been made public and could be used.
AnalysisAI
Stored or reflected cross-site scripting (XSS) in code-projects Simple Laundry System 1.0 allows remote attackers to inject malicious scripts via the userid parameter in /modmemberinfo.php, potentially compromising user sessions or stealing sensitive data. The vulnerability requires user interaction (UI:R) and publicly available exploit code exists, elevating the practical risk despite the moderate CVSS 4.3 score.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Vulnerability AssessmentAI
| Risk Assessment | Despite a moderate CVSS 3.1 score of 4.3 (AV:N/AC:L/PR:N/UI:R), real-world risk is elevated by the convergence of multiple signals: (1) publicly available exploit code reduces the exploitation barrier; (2) unauthenticated remote attack vector (PR:N, AV:N) allows any internet user to craft malicious requests; (3) low attack complexity (AC:L) requires no special techniques; (4) the UI:R component (user interaction required) is the primary limiting factor but is common in social engineering scenarios. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malicious URL containing JavaScript payload in the userid parameter (e.g., /modmemberinfo.php?userid=<script>alert('XSS')</script>) and tricks a system administrator or user into clicking the link via phishing email or social engineering. When the user visits the page, the injected script executes in their browser with their session privileges, potentially stealing their authentication cookie or performing unauthorized actions (e.g., modifying member information, escalating privileges). … |
| Remediation | Apply a vendor-released security patch if available from code-projects (https://code-projects.org/); however, no specific patched version number is confirmed in available data. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today