Low severity3.5NVD Advisory· Published Mar 26, 2026· Updated Apr 29, 2026

CVE-2026-4835

Description

A security vulnerability has been detected in code-projects Accounting System 1.0. Impacted is an unknown function of the file /my_account/add_costumer.php of the component Web Application Interface. Such manipulation of the argument costumer_name leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed publicly and may be used.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A stored XSS vulnerability exists in code-projects Accounting System 1.0 via the costumer_name parameter in /my_account/add_costumer.php.

Vulnerability

Description

A stored cross-site scripting (XSS) vulnerability has been identified in code-projects Accounting System 1.0. The flaw resides in the costumer_name parameter of the /my_account/add_costumer.php endpoint. The application does not sanitize or validate user-supplied input before storing it in the database and later rendering it in the web interface without proper output encoding [1].

Attack

Vector

An attacker can submit a malicious JavaScript payload in the costumer_name field when adding a new customer record. No special privileges or network position are required beyond the ability to access the web application interface remotely. The injected script persists in the database and executes automatically in the browser of any authenticated user who views the stored data [1].

Impact

Successful exploitation allows arbitrary JavaScript execution in the victim's browser context. This can lead to session hijacking, credential theft, or unauthorized actions on behalf of the authenticated user, such as modifying financial records or extracting sensitive data [1].

Mitigation

As of the publication date (2026-03-26), the vendor has not released a patch. Users should implement input validation and output encoding for the costumer_name parameter, apply Content Security Policy headers, and set HttpOnly and Secure flags on cookies to reduce risk [1].

References

CVEsMarz/Accounting System in PHP 1.0 - Stored Cross-Site Scripting (XSS) in costumer_name Parameter.md at main · ahmadmarz10-hub/CVEsMarz

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Sherlock/Accounting Systemllm-fuzzy
Range: <=1.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

Severity

LowCVSS v3.1

3.5/ 10

CVSS v42.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: Low
User interaction: Required
Scope: Unchanged
Confidentiality: None
Integrity: Low
Availability: None

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

EPSS

Probability of exploitation in the next 30 days.

0.04%

VYPR risk score

Composite of severity, exploitation, and reach.

0.23low

cvss	0.227
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-94
Improper Control of Generation of Code ('Code Injection')

CVE ID

CVE-2026-4835

Credits

A(
AhmadMarzook (VulDB User)
reporter