Low severity2.4NVD Advisory· Published Mar 31, 2026· Updated Apr 29, 2026

CVE-2026-5209

Description

A security vulnerability has been detected in SourceCodester Leave Application System 1.0. Affected by this issue is some unknown functionality of the component User Management Handler. Such manipulation leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed publicly and may be used.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

SourceCodester Leave Application System 1.0 has a reflected XSS in the User Management Handler, allowing remote unauthenticated script injection.

Vulnerability

Overview

The SourceCodester Leave Application System 1.0 contains a cross-site scripting (XSS) vulnerability in the User Management Handler component. The issue is classified as having low severity (CVSS v3 base score: 2.4) and has been publicly disclosed [1]. The root cause involves insufficient neutralization of user-supplied input, enabling an attacker to inject arbitrary web scripts or HTML.

Exploitation

Prerequisites

Exploitation can be carried out remotely without authentication. An attacker can craft a malicious link containing the XSS payload and deliver it to a target user via social engineering or other means. If the target user clicks the link while logged into the application, the script executes in the context of their session [1].

Potential

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser. This could lead to session hijacking, defacement, or redirection to malicious sites. Due to the low severity rating, the attack requires user interaction and may have limited impact on the overall system [1].

Mitigation

Status

No patch or vendor advisory is available as of the publication date. Administrators should restrict access to the affected component, sanitize input, and consider implementing a web application firewall (WAF) until a fix is released [1].

References

Free Source Code Projects and Tutorials

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Sourcecodester/Leave Application Systemllm-fuzzy
Range: =1.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

Severity

LowCVSS v3.1

2.4/ 10

CVSS v41.9

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: High
User interaction: Required
Scope: Unchanged
Confidentiality: None
Integrity: Low
Availability: None

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N

EPSS

Probability of exploitation in the next 30 days.

0.04%

VYPR risk score

Composite of severity, exploitation, and reach.

0.16low

cvss	0.156
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-94
Improper Control of Generation of Code ('Code Injection')

CVE ID

CVE-2026-5209

Credits

HR
Hemant Raj Bhati (VulDB User)
reporter