CVE-2026-5240

Vulnerability

Overview

A stored cross-site scripting (XSS) vulnerability has been identified in code-projects Blood Bank Managing System version 1.0. The flaw resides in the administrative state management functionality, specifically within the file /admin_state.php. The application fails to properly sanitize user input supplied through the statename parameter before storing it in the backend database [1].

Exploitation

Details

An attacker can exploit this vulnerability by sending a crafted HTTP POST request to the affected endpoint with malicious JavaScript or HTML embedded in the statename parameter. No authentication is required to trigger the stored XSS, as the endpoint is accessible remotely. The injected payload is stored in the database and later rendered without output encoding when an administrator or other user views the state management page, causing the script to execute in their browser [1].

Impact

Successful exploitation allows an attacker to execute arbitrary scripts in the context of the victim's browser session. This can lead to session hijacking, defacement of the administrative interface, or theft of sensitive information such as cookies or credentials. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and has been assigned a CVSS v3 base score of 4.3 (Medium) [1].

Mitigation

As of the publication date, no official patch has been released by the vendor. The vendor's homepage is referenced in the advisory [2]. Users are advised to apply input validation and output encoding (e.g., htmlspecialchars()) to the statename parameter, or to restrict access to the administrative interface until a fix is available. The exploit has been publicly disclosed, increasing the risk of active exploitation [1].