Medium severity4.3NVD Advisory· Published Apr 5, 2026· Updated Apr 29, 2026

CVE-2026-5539

Description

A flaw has been found in code-projects Simple Laundry System 1.0. This affects an unknown part of the file /modifymember.php of the component Parameter Handler. This manipulation of the argument firstName causes cross site scripting. The attack can be initiated remotely. The exploit has been published and may be used.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A stored XSS vulnerability in code-projects Simple Laundry System 1.0 allows attackers to execute arbitrary scripts via the firstName parameter in /modifymember.php.

Vulnerability

Overview

The vulnerability resides in the /modifymember.php file of code-projects Simple Laundry System version 1.0. The firstName parameter is not sanitized or encoded before being output to the web page, enabling Cross-Site Scripting (XSS) attacks. The root cause is insufficient input validation and output encoding, allowing an attacker to inject arbitrary script code [1].

Exploitation

Exploitation can be performed remotely without requiring authentication or prior authorization. An attacker can craft a malicious payload, such as `, and submit it via the firstName` parameter. The application then renders this payload in the victim's browser when the page is loaded, leading to script execution [1].

Impact

Successful exploitation allows an attacker to steal cookies, session tokens, and other sensitive information, perform actions on behalf of the victim, deface web pages, redirect users to malicious sites, or gain control of the victim's browser. This poses a serious threat to user privacy and system security [1].

Mitigation

No official patch has been released by the vendor as of the publication date. The recommended fix is to implement proper output encoding for all user-supplied input, particularly the firstName parameter, to prevent the execution of injected scripts [1].

References

code-projects Simple Laundry System Project V1.0 /modifymember.php cross site scripting

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Code Projects/Simple Laundry Systemllm-fuzzy
Range: = 1.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

Severity

MediumCVSS v3.1

4.3/ 10

CVSS v42.1

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: None
User interaction: Required
Scope: Unchanged
Confidentiality: None
Integrity: Low
Availability: None

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

EPSS

Probability of exploitation in the next 30 days.

0.04%

VYPR risk score

Composite of severity, exploitation, and reach.

0.28low

cvss	0.280
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-94
Improper Control of Generation of Code ('Code Injection')

CVE ID

CVE-2026-5539

Credits

WX
Weining Xiao (VulDB User)
reporter