{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4626", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-03-23T06:26:24.125Z", "datePublished": "2026-03-24T02:46:13.972Z", "dateUpdated": "2026-03-26T12:29:09.031Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-24T02:46:13.972Z"}, "title": "projectworlds Lawyer Management System lawyer_booking.php cross site scripting", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "Cross Site Scripting"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "Code Injection"}]}], "affected": [{"vendor": "projectworlds", "product": "Lawyer Management System", "versions": [{"version": "1.0", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in projectworlds Lawyer Management System 1.0. This impacts an unknown function of the file /lawyer_booking.php. The manipulation of the argument Description leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-03-23T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-03-23T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-03-23T07:31:28.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "WangYiQi (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.352494", "name": "VDB-352494 | projectworlds Lawyer Management System lawyer_booking.php cross site scripting", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.352494", "name": "VDB-352494 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.775791", "name": "Submit #775791 | projectworlds Lawyer Management System v1.0 Cross Site Scripting", "tags": ["third-party-advisory"]}, {"url": "https://github.com/eqiya17/collection-of-vulnerability/issues/2", "tags": ["exploit", "issue-tracking"]}], "tags": ["x_freeware"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T12:28:57.376514Z", "id": "CVE-2026-4626", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T12:29:09.031Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4626", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T12:28:57.376514Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T12:29:05.468Z"}}], "cna": {"tags": ["x_freeware"], "title": "projectworlds Lawyer Management System lawyer_booking.php cross site scripting", "credits": [{"lang": "en", "type": "reporter", "value": "WangYiQi (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.5, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.5, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "projectworlds", "product": "Lawyer Management System", "versions": [{"status": "affected", "version": "1.0"}]}], "timeline": [{"lang": "en", "time": "2026-03-23T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-03-23T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-03-23T07:31:28.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.352494", "name": "VDB-352494 | projectworlds Lawyer Management System lawyer_booking.php cross site scripting", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.352494", "name": "VDB-352494 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.775791", "name": "Submit #775791 | projectworlds Lawyer Management System v1.0 Cross Site Scripting", "tags": ["third-party-advisory"]}, {"url": "https://github.com/eqiya17/collection-of-vulnerability/issues/2", "tags": ["exploit", "issue-tracking"]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in projectworlds Lawyer Management System 1.0. This impacts an unknown function of the file /lawyer_booking.php. The manipulation of the argument Description leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Cross Site Scripting"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "Code Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-24T02:46:13.972Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4626", "state": "PUBLISHED", "dateUpdated": "2026-03-26T12:29:09.031Z", "dateReserved": "2026-03-23T06:26:24.125Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-03-24T02:46:13.972Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in projectworlds Lawyer Management System 1.0. This impacts an unknown function of the file /lawyer_booking.php. The manipulation of the argument Description leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used."}], "id": "CVE-2026-4626", "lastModified": "2026-03-24T15:53:48.067", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-03-24T04:17:25.100", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/eqiya17/collection-of-vulnerability/issues/2"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.352494"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.352494"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.775791"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-94"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[1.0,1.0]"}}], "enrichment": {"confidence": 93.0, "confidence_source": "matching", "scores": [{"score": 93.0, "source": "matching"}]}, "original": {"product": "Lawyer Management System", "source": "cna", "vendor": "projectworlds"}, "product": "leave_management_system", "vendor": "projectworlds"}], "analysis": {"en": {"generated_at": "2026-03-24T04:23:29.503877+00:00", "value": {"mitigation_remediation": ["Apply vendor patch if available", "Implement input validation and output encoding for the Description field", "Deploy a web application firewall rule to block XSS payloads", "Monitor logs for suspicious activity"], "summary": {"action": "Update Software", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The flaw affects projectworlds Lawyer Management System version 1.0. No other affected versions are listed.", "description_and_impact": "A cross\u2011site scripting vulnerability exists in the lawyer_booking.php file of projectworlds Lawyer Management System 1.0. Manipulation of the Description parameter allows an attacker to inject arbitrary scripts into the page, which will execute in the victim\u2019s browser. The injected code can steal cookies, hijack sessions, deface content, or perform further attacks. The weakness is identified as CWE\u201179 and may also involve code execution capabilities (CWE\u201194) if the payload is processed unchecked. This flaw is exploitable remotely and is publicly disclosed.", "risk_and_exploitability": "The CVSS score of 5.1 corresponds to a medium risk level. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. Attackers can reach the vulnerable parameter through a standard HTTP request, so the attack vector is inferred to be remote. While the exploit is publicly known, typical XSS attacks remain common and can be automated, indicating a non\u2011negligible likelihood of exploitation, especially if the application\u2019s output is not properly sanitized."}}}}, "created": "2026-03-24T10:29:20.871766+00:00", "updated": "2026-03-25T20:40:26.091216+00:00", "vendors": ["projectworlds", "projectworlds$PRODUCT$leave_management_system"]}