Medium severity4.3NVD Advisory· Published Apr 10, 2026· Updated Apr 29, 2026

CVE-2026-6035

Description

A vulnerability has been found in code-projects Vehicle Showroom Management System 1.0. The affected element is an unknown function of the file /BranchManagement/ServiceAndSalesReport.php. The manipulation of the argument BRANCH_ID leads to cross site scripting. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Vehicle Showroom Management System 1.0 has a stored XSS in /BranchManagement/ServiceAndSalesReport.php via the BRANCH_ID parameter.

Vulnerability

Overview

A cross-site scripting (XSS) vulnerability exists in the code-projects Vehicle Showroom Management System version 1.0. The flaw is located in the /BranchManagement/ServiceAndSalesReport.php file, where the BRANCH_ID parameter is processed. The root cause is that user-supplied input is directly output to the web page without proper sanitization or encoding, allowing an attacker to inject arbitrary HTML or malicious script code [1].

Exploitation

Details

Exploitation is possible remotely and does not require authentication or any special privileges [1]. An attacker can craft a malicious payload, such as `, and submit it via the BRANCH_ID` parameter. When the page is rendered, the injected script executes in the context of the victim's browser session [1].

Impact

Successful exploitation enables an attacker to steal cookies, session tokens, or other sensitive information, perform actions on behalf of the victim, deface web pages, redirect users to malicious sites, or potentially gain control over the victim's browser. This poses a serious threat to user privacy and system security [1].

Mitigation

As of the publication date, no official patch has been released by the vendor. The project is available reference confirms the vulnerability has been publicly disclosed [1]. Users should apply input validation and output encoding for the BRANCH_ID parameter, or consider migrating to a maintained alternative if the project remains unpatched.

References

code-projects Vehicle Showroom Management System Project V1.0 /ServiceAndSalesReport.php cross site scripting

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Code Projects/Vehicle Managementllm-fuzzy
Range: =1.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

Severity

MediumCVSS v3.1

4.3/ 10

CVSS v42.1

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: None
User interaction: Required
Scope: Unchanged
Confidentiality: None
Integrity: Low
Availability: None

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

EPSS

Probability of exploitation in the next 30 days.

0.04%

VYPR risk score

Composite of severity, exploitation, and reach.

0.28low

cvss	0.280
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-94
Improper Control of Generation of Code ('Code Injection')

CVE ID

CVE-2026-6035

Credits

T(
tnn2026 (VulDB User)
reporter