Medium severity4.3NVD Advisory· Published Apr 5, 2026· Updated Apr 29, 2026

CVE-2026-5542

Description

A vulnerability was determined in code-projects Simple Laundry System 1.0. Impacted is an unknown function of the file /modstaffinfo.php of the component Parameter Handler. Executing a manipulation of the argument userid can lead to cross site scripting. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cross-site scripting in code-projects Simple Laundry System 1.0 via userid parameter in modstaffinfo.php allows remote attackers to inject arbitrary script.

A cross-site scripting (XSS) vulnerability has been identified in code-projects Simple Laundry System version 1.0. The issue resides in the /modstaffinfo.php file, where the userid parameter is processed without proper sanitization or output encoding [1]. This flaw enables attackers to inject malicious script code that is directly rendered in the victim's browser.

The vulnerability can be exploited remotely without authentication. An attacker simply crafts a URL containing a malicious script in the userid parameter and tricks a victim into visiting it. For example, the payload `` can be injected via the parameter [1]. No special privileges or network access beyond basic web interaction is required.

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the affected web application. This can lead to theft of cookies, session tokens, or other sensitive information, as well as performing actions on behalf of the victim, defacing web pages, or redirecting users to malicious sites [1]. The impact is significant given the potential for complete compromise of user sessions and data.

As of the publication date, no official patch has been released. The vendor recommends output encoding of user input as a mitigation [1]. Users should apply input validation and output encoding to the userid parameter and consider using a Web Application Firewall (WAF) until an update is available.

References

code-projects Simple Laundry System Project V1.0 /modstaffinfo.php cross site scripting

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Code Projects/Simple Laundry Systemllm-fuzzy
Range: = 1.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

Severity

MediumCVSS v3.1

4.3/ 10

CVSS v42.1

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: None
User interaction: Required
Scope: Unchanged
Confidentiality: None
Integrity: Low
Availability: None

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

EPSS

Probability of exploitation in the next 30 days.

0.01%

VYPR risk score

Composite of severity, exploitation, and reach.

0.28low

cvss	0.280
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-94
Improper Control of Generation of Code ('Code Injection')

CVE ID

CVE-2026-5542

Credits

WX
Weining Xiao (VulDB User)
reporter