Medium severity4.3NVD Advisory· Published Apr 10, 2026· Updated Apr 29, 2026

CVE-2026-6032

Description

A vulnerability was found in code-projects Simple Laundry System 1.0. This impacts an unknown function of the file /checkcheckout.php. Performing a manipulation of the argument serviceId results in cross site scripting. The attack is possible to be carried out remotely. The exploit has been made public and could be used.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Simple Laundry System 1.0 has a reflected XSS vulnerability in /checkcheckout.php via serviceId parameter allowing remote attackers to inject scripts.

Vulnerability

A reflected cross-site scripting (XSS) vulnerability exists in the /checkcheckout.php file of code-projects Simple Laundry System version 1.0. The root cause is insufficient sanitization of the serviceId parameter, which is echoed back to the page without proper encoding or filtering [1].

Exploitation

Attackers can exploit this flaw remotely without authentication by crafting a malicious URL that includes a JavaScript payload in the serviceId parameter. The proof-of-concept uses serviceId=%3Cscript%3Eprompt(/xss/);%3C/script%3E to trigger a prompt box [1].

Impact

Successful exploitation allows attackers to execute arbitrary JavaScript in the victim's browser, potentially stealing cookies, session tokens, or other sensitive information. It can also be used to perform actions on behalf of the victim, deface pages, or redirect to malicious sites [1].

Mitigation

As of publication, no official patch from code-projects is available [2]. Users are advised to implement input validation and output encoding for the serviceId parameter and consider applying a web application firewall rule to block malicious payloads.

References

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Code Projects/Simple Laundry Systemllm-fuzzy
Range: = 1.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

Severity

MediumCVSS v3.1

4.3/ 10

CVSS v42.1

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: None
User interaction: Required
Scope: Unchanged
Confidentiality: None
Integrity: Low
Availability: None

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

EPSS

Probability of exploitation in the next 30 days.

0.04%

VYPR risk score

Composite of severity, exploitation, and reach.

0.28low

cvss	0.280
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-94
Improper Control of Generation of Code ('Code Injection')

CVE ID

CVE-2026-6032

Credits

X(
xqer (VulDB User)
reporter