Skip to main content

PHP EUVD-2026-23415

| CVE-2026-6486 LOW
Cross-site Scripting (XSS) (CWE-79)
2026-04-17 VulDB GHSA-376w-pjjp-jrvj
XSS PHP
2.0
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.0 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

10
Severity Changed
Apr 29, 2026 - 01:12 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:12 NVD
5.1 (MEDIUM) 2.0 (LOW)
PoC Detected
Apr 29, 2026 - 01:00 vuln.today
Public exploit code
Severity Changed
Apr 17, 2026 - 13:22 NVD
LOW MEDIUM
CVSS changed
Apr 17, 2026 - 13:22 NVD
3.5 (LOW) 5.1 (MEDIUM)
Analysis Generated
Apr 17, 2026 - 12:56 vuln.today
EUVD ID Assigned
Apr 17, 2026 - 12:45 euvd
EUVD-2026-23415
Analysis Generated
Apr 17, 2026 - 12:45 vuln.today
Patch released
Apr 17, 2026 - 12:45 nvd
Patch available
CVE Published
Apr 17, 2026 - 12:15 nvd
LOW 2.0

DescriptionCVE.org

A vulnerability was detected in classroombookings up to 2.17.0. This impacts the function read of the file crbs-core/application/views/layout.php of the component User Display Name Handler. The manipulation of the argument displayname results in cross site scripting. The attack can be executed remotely. The exploit is now public and may be used. Upgrading to version 2.17.1 will fix this issue. The patch is identified as 69c3c9bb8a17f1ea572d8f4502bf238f0214c98a. It is suggested to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

AnalysisAI

Stored cross-site scripting (XSS) in Classroom Bookings up to version 2.17.0 allows authenticated users to inject malicious scripts via the displayname parameter in the User Display Name Handler component, resulting in arbitrary script execution in other users' browsers. The vulnerability requires user interaction (victim must view the affected page) and authenticated access, limiting immediate risk, but publicly available exploit code and vendor confirmation of the issue increase real-world threat. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain valid credentials (or create account)
Delivery
Modify displayname with XSS payload
Exploit
Attacker-controlled page renders poisoned name
Execution
Administrator views page
Persist
Malicious script executes in admin session
Impact
Unauthorized action performed (delete users, modify bookings, access data)
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to possess valid authenticated credentials to Classroom Bookings (PR:L confirmed by CVSS vector), meaning account creation or credential compromise is a prerequisite. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This vulnerability presents moderate but manageable risk despite its public exploit availability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated attacker creates a Classroom Bookings user account (if user registration is enabled) or compromises an existing low-privilege account, then modifies their displayname field to inject a script payload such as <script>fetch('/admin/users?delete=1')</script> or a script that harvests session tokens. When administrators or other staff view the attacker's profile, the booking dashboard, or any page rendering user display names, the injected script executes in their browser with their session privileges, potentially leading to unauthorized administrative actions or session hijacking. …
Remediation Upgrade Classroom Bookings to version 2.17.1 or later immediately, which includes commit 69c3c9bb8a17f1ea572d8f4502bf238f0214c98a that properly sanitizes displayname inputs. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49952 CRITICAL POC
9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
CVE-2026-49954 HIGH POC
8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
CVE-2026-27053 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
CVE-2026-49104 CRITICAL
9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

Share

EUVD-2026-23415 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy