CVE-2026-38579
Description
Multiple reflected XSS vulnerabilities in thaipalliative_lte versions 1.0-3.0 allow remote attackers to inject arbitrary web script via ezform.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Multiple reflected XSS vulnerabilities in thaipalliative_lte versions 1.0-3.0 allow remote attackers to inject arbitrary web script via ezform.php.
Vulnerability
Multiple reflected Cross-Site Scripting (XSS) vulnerabilities exist in thaipalliative_lte through version 3.0. These issues are located in the /substudy/ezform.php script, specifically involving the idFormMain parameter (line 24), the id parameter (lines 25, 75), and the ptid_key parameter (lines 26, 42). User input is directly echoed into HTML attributes and JavaScript contexts without proper encoding, making it vulnerable to injection attacks [1].
Exploitation
An attacker can exploit these vulnerabilities by tricking a victim into clicking a crafted URL. The attacker needs network access and no authentication. The payload is reflected in HTML attributes or JavaScript contexts. For example, a payload targeting the idFormMain parameter could be /substudy/ezform.php?idFormMain="> [1].
Impact
Successful exploitation allows a remote attacker to inject and execute arbitrary web script or HTML in the context of the victim's browser. This can lead to session hijacking, defacement, or redirection to malicious sites, depending on the injected script [1].
Mitigation
There is no fixed version available for these vulnerabilities in thaipalliative_lte. Users are advised to avoid using versions 1.0 through 3.0. No workarounds or patches have been disclosed in the available references [1].
AI Insight generated on Jun 5, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <3.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"User input is echoed into HTML attributes and JavaScript contexts without encoding."
Attack vector
A remote attacker can craft a URL containing malicious JavaScript within the `idFormMain`, `id`, or `ptid_key` parameters. When a victim visits this URL, the application reflects the input directly into the HTML or JavaScript, executing the script in the victim's browser. This can lead to arbitrary script execution and potential session hijacking [ref_id=1].
Affected code
The vulnerabilities are located in the `/substudy/ezform.php` file. Specifically, user input from the `idFormMain` parameter on line 24, the `id` parameter on lines 25 and 75, and the `ptid_key` parameter on lines 26 and 42 are directly echoed without proper sanitization or encoding [ref_id=1].
What the fix does
The advisory states that there is no patch available for this vulnerability. Users are advised to upgrade to a version that addresses these issues, however, no fixed version is specified. The vendor has not released a patch to remediate the reflected cross-site scripting flaws [ref_id=1].
Preconditions
- inputThe attacker needs to provide a crafted URL with malicious input in the `idFormMain`, `id`, or `ptid_key` parameters.
- networkThe attacker must trick a victim into visiting the crafted URL.
Generated on Jun 5, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.