Low severity3.5NVD Advisory· Published Mar 27, 2026· Updated Apr 29, 2026

CVE-2026-4969

Description

A vulnerability was identified in code-projects Social Networking Site 1.0. The impacted element is an unknown function of the file /home.php of the component Alert Handler. The manipulation of the argument content leads to cross site scripting. Remote exploitation of the attack is possible. The exploit is publicly available and might be used.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A stored XSS vulnerability in code-projects Social Networking Site 1.0 allows authenticated attackers to inject malicious scripts via the post content field, affecting all viewers.

In the Social Networking Site 1.0 by code-projects, the file /home.php contains a stored cross-site scripting (XSS) vulnerability in the Alert Handler component. The application retrieves post content from the database and directly echoes it into the HTML without sanitization or output encoding, as seen in the code: <?php echo $row['content']; ?> [1].

An attacker with an authenticated account can craft a post containing arbitrary HTML or JavaScript. When other users view the social feed, the injected payload executes in their browsers. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) [1].

Successful exploitation allows the attacker to perform actions in the victim's session, such as stealing cookies, defacing pages, or redirecting users to malicious sites. Since the social platform promotes frequent content viewing, the attack can impact a wide audience.

A proof-of-concept exploit is publicly available. The vendor (code-projects) has not released a patch as of the publication date. Mitigation involves implementing proper output encoding on user-supplied content and applying content security policies.

References

CVEsMarz/Stored Cross-Site Scripting (XSS) in PHP Social Networking Site.md at main · ahmadmarz10-hub/CVEsMarz

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Code Projects/Social Networking Sitellm-fuzzy
Range: 1.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

Severity

LowCVSS v3.1

3.5/ 10

CVSS v42.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: Low
User interaction: Required
Scope: Unchanged
Confidentiality: None
Integrity: Low
Availability: None

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

EPSS

Probability of exploitation in the next 30 days.

0.04%

VYPR risk score

Composite of severity, exploitation, and reach.

0.23low

cvss	0.227
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-94
Improper Control of Generation of Code ('Code Injection')

CVE ID

CVE-2026-4969

Credits

A(
AhmadMarzook (VulDB User)
reporter