CVE-2026-5806

CVE-2026-5806 describes a stored cross-site scripting (XSS) vulnerability in code-projects Easy Blog Site 1.0. The flaw resides in the /posts/update.php endpoint, where the postTitle parameter is taken directly from user input without proper handling. According to the advisory, the application retrieves this parameter from the HTTP request and stores it in the backend database without validation or sanitization. When the stored value is later rendered in the HTML interface, no output encoding (e.g., htmlspecialchars()) is applied, allowing embedded HTML or JavaScript to be interpreted and executed by the browser [1].

The attack can be initiated remotely with no authentication requirements, as the update functionality is accessible to users. An attacker can inject a malicious payload such as <details/open/ontoggle=prompt(origin)> into the postTitle field. Once the post is updated, the payload is stored in the database and executed whenever the affected post is viewed by any user, making it a persistent (stored) XSS scenario [1].

The impact is the execution of arbitrary script code in the context of the victim's browser when they visit the compromised post. This can be leveraged to steal session cookies, deface pages, or perform actions on behalf of the authenticated user. The vulnerability is classified under CWE-79 (not needed in output) and carries a CVSS v3 base score of 3.5, reflecting the requirement for user interaction and the scope of impact [CVE description].

As of the publication date (2026-04-08), the exploit has been disclosed publicly. The vendor, code-projects, provides the software and the advisory recommends proper input validation and output encoding as remediation. No official patch has been confirmed at the time of writing [1][2].