{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-30526", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-01T15:04:04.957Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-04-01T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-01T14:18:27.224Z"}, "descriptions": [{"lang": "en", "value": "A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Zoo Management System v1.0. The vulnerability is located in the login page, specifically within the msg parameter. The application reflects the content of the msg parameter back to the user without proper HTML encoding or sanitization. This allows remote attackers to inject arbitrary web script or HTML via a crafted URL."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/meifukun/Web-Security-PoCs/blob/main/Zoo-Management-System/Reflected-XSS-Login-msg.md"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T15:02:40.949689Z", "id": "CVE-2026-30526", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T15:04:04.957Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-30526", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-01T15:02:40.949689Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T15:02:11.629Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/meifukun/Web-Security-PoCs/blob/main/Zoo-Management-System/Reflected-XSS-Login-msg.md"}], "descriptions": [{"lang": "en", "value": "A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Zoo Management System v1.0. The vulnerability is located in the login page, specifically within the msg parameter. The application reflects the content of the msg parameter back to the user without proper HTML encoding or sanitization. This allows remote attackers to inject arbitrary web script or HTML via a crafted URL."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-01T14:18:27.224Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30526", "state": "PUBLISHED", "dateUpdated": "2026-04-01T15:04:04.957Z", "dateReserved": "2026-03-04T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-01T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Zoo Management System v1.0. The vulnerability is located in the login page, specifically within the msg parameter. The application reflects the content of the msg parameter back to the user without proper HTML encoding or sanitization. This allows remote attackers to inject arbitrary web script or HTML via a crafted URL."}], "id": "CVE-2026-30526", "lastModified": "2026-04-01T16:23:49.647", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-01T15:22:59.277", "references": [{"source": "cve@mitre.org", "url": "https://github.com/meifukun/Web-Security-PoCs/blob/main/Zoo-Management-System/Reflected-XSS-Login-msg.md"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Received"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "1.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "zoo_management_system", "vendor": "sourcecodester"}], "analysis": {"en": {"generated_at": "2026-04-02T04:49:47.645639+00:00", "value": {"mitigation_remediation": ["Apply a patched version of SourceCodester Zoo Management System v1.0 if one is available from the vendor.", "If no patch exists, eliminate or move the \"msg\" parameter out of the query string and validate or sanitise its contents on the server side before reflecting it.", "Ensure that any user\u2011supplied data reflected back to the browser is properly HTML\u2011escaped or encoded.", "Consider configuring a Content\u2011Security\u2011Policy header to mitigate the impact of any residual XSS payloads."], "summary": {"action": "Apply Patch", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the SourceCodester Zoo Management System version 1.0 as distributed by SourceCodester. No other vendors or versions are mentioned in the CVE entry.", "description_and_impact": "A reflected cross\u2011site scripting flaw exists in the login page of the SourceCodester Zoo Management System. The \"msg\" query parameter is rendered back to the user without HTML encoding or sanitisation, which lets an attacker inject arbitrary script or markup into the page. The impact is that the injected code will execute in the context of the victim\u2019s browser. The potential consequences \u2013 such as session hijacking, credential theft, or site defacement \u2013 are inferred from the nature of XSS and are not directly stated in the CVE description.", "risk_and_exploitability": "The CVSS score of 6.1 indicates moderate severity. EPSS data is unavailable and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires a specially crafted URL containing malicious content in the \"msg\" parameter and a victim who follows that link. The attack vector is remote and does not require local access or elevated privileges."}}}}, "created": "2026-04-02T07:51:18.293711+00:00", "title": "Reflected XSS in SourceCodester Zoo Management System Login", "updated": "2026-04-03T08:59:02.544152+00:00", "vendors": ["sourcecodester", "sourcecodester$PRODUCT$zoo_management_system"], "weaknesses": ["CWE-79"]}