{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-39112", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-20T18:07:53.479Z", "dateReserved": "2026-04-06T00:00:00.000Z", "datePublished": "2026-04-20T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-20T17:20:45.619Z"}, "descriptions": [{"lang": "en", "value": "Cross Site Scripting vulnerability in Apartment Visitors Management System Apartment Visitors Management System V1.1 in the visname parameter of visitors-form.php. An authenticated attacker can inject arbitrary JavaScript that is later executed when the malicious input is viewed in manage-newvisitors.php or visitor-detail.php."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://phpgurukul.com/apartment-visitors-management-system-using-php-and-mysql/"}, {"url": "https://phpgurukul.com/?sdm_process_download=1&download_id=21524"}, {"url": "https://github.com/efekaanakkar/Apartment-Visitors-Management-System-CVEs/"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-20T18:07:20.022914Z", "id": "CVE-2026-39112", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T18:07:53.479Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-39112", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-20T18:07:20.022914Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T18:07:49.715Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://phpgurukul.com/apartment-visitors-management-system-using-php-and-mysql/"}, {"url": "https://phpgurukul.com/?sdm_process_download=1&download_id=21524"}, {"url": "https://github.com/efekaanakkar/Apartment-Visitors-Management-System-CVEs/"}], "descriptions": [{"lang": "en", "value": "Cross Site Scripting vulnerability in Apartment Visitors Management System Apartment Visitors Management System V1.1 in the visname parameter of visitors-form.php. An authenticated attacker can inject arbitrary JavaScript that is later executed when the malicious input is viewed in manage-newvisitors.php or visitor-detail.php."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-20T17:20:45.619Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39112", "state": "PUBLISHED", "dateUpdated": "2026-04-20T18:07:53.479Z", "dateReserved": "2026-04-06T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-20T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Cross Site Scripting vulnerability in Apartment Visitors Management System Apartment Visitors Management System V1.1 in the visname parameter of visitors-form.php. An authenticated attacker can inject arbitrary JavaScript that is later executed when the malicious input is viewed in manage-newvisitors.php or visitor-detail.php."}], "id": "CVE-2026-39112", "lastModified": "2026-04-20T18:51:43.663", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-20T18:16:27.417", "references": [{"source": "cve@mitre.org", "url": "https://github.com/efekaanakkar/Apartment-Visitors-Management-System-CVEs/"}, {"source": "cve@mitre.org", "url": "https://phpgurukul.com/?sdm_process_download=1&download_id=21524"}, {"source": "cve@mitre.org", "url": "https://phpgurukul.com/apartment-visitors-management-system-using-php-and-mysql/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T18:40:26.492133+00:00", "value": {"mitigation_remediation": ["Implement input validation and output encoding for the visname field to neutralize XSS payloads.", "Apply any vendor\u2011provided updates or patches that address the XSS issue as soon as they become available.", "Restrict the ability to submit unsanitized visitor names to a minimal set of privileged users or enforce administrative review before data is stored."], "summary": {"action": "Apply Fix", "impact": "Stored Cross\u2011Site Scripting (authenticated users)"}, "threat_synthesis": {"affected_systems": "The affected product is Apartment Visitors Management System V1.1, a PHP/MySQL based web application used for managing apartment visitor logs. The vulnerability is tied specifically to the visname parameter of visitors-form.php and impacts any instance running this version that allows authenticated users to create visitor entries.", "description_and_impact": "A stored cross\u2011site scripting flaw resides in the visname field of visitors-form.php in Apartment Visitors Management System V1.1. An authenticated user can submit malicious JavaScript that is later rendered when the entry is viewed in manage-newvisitors.php or visitor-detail.php. Because the payload is executed in the context of the victim\u2019s browser, the attacker can deface pages, hijack sessions, and run any client\u2011side code, thereby compromising confidentiality, integrity, and availability of the application for logged\u2011in users.", "risk_and_exploitability": "No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalogue. However, the flaw can be exploited by any authenticated user without requiring additional privileges or special conditions, making it widely exploitable within the environment it is deployed. The CVSS base score\u2014while unspecified in this report\u2014would reflect the high impact of client\u2011side code execution. The attacker does not need network access beyond the normal login channel, so the attack vector is considered local to a logged\u2011in session."}}}}, "created": "2026-04-20T18:45:14.229799+00:00", "title": "Stored Cross\u2011Site Scripting in Apartment Visitors Management System via visname Parameter", "updated": "2026-04-20T18:45:14.229816+00:00", "vendors": [], "weaknesses": ["CWE-79"]}