CVE-2026-39112

Vulnerability

Overview

CVE-2026-39112 is a stored cross-site scripting (XSS) vulnerability found in the Apartment Visitors Management System (AVMS) v1.1, a web-based application built with PHP and MySQL [1]. The flaw resides in the visname parameter of visitors-form.php, where an authenticated admin adds new visitor records. The application fails to properly sanitize or encode user-supplied input on this page, allowing an attacker to inject arbitrary JavaScript that is stored in the database [2].

Attack

Vector and Exploitation

An attacker must first authenticate as an admin to access the visitor form [1]. Once logged in, the attacker can supply a malicious payload—such as `—in the visitor name field (visname) during visitor creation [2]. The payload is stored and later rendered unsafely when the admin views visitor records on pages like manage-newvisitors.php or visitor-detail.php` [2]. No user interaction beyond visiting the affected page is required for the script to execute.

Impact

Successful exploitation results in JavaScript execution within the context of the admin's browser session. This can lead to session theft, sensitive data exposure, or unauthorized actions performed as the admin [2]. Since the XSS is stored, the impact persists for every admin who views the tainted visitor record, making it a reliable and repeatable attack vector.

Mitigation

Status

At the time of publication, no vendor-supplied patch has been released [1][2]. The vendor recommends sanitizing user inputs and following OWASP secure coding practices, but no official fix is confirmed. Administrators should implement input validation, output encoding, and consider content security policy (CSP) headers as interim defenses [2].