Medium severity4.3NVD Advisory· Published Apr 13, 2026· Updated Apr 29, 2026

CVE-2026-6150

Description

A vulnerability has been found in code-projects Simple Laundry System 1.0. This affects an unknown part of the file /checkupdatestatus.php. The manipulation of the argument serviceId leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Simple Laundry System 1.0 has a reflected XSS in /checkupdatestatus.php via the serviceId parameter, enabling cookie theft and session hijacking without authentication.

Vulnerability

Description

The Simple Laundry System version 1.0 contains a reflected cross-site scripting (XSS) vulnerability in the /checkupdatestatus.php file. The root cause is that the serviceId parameter is echoed directly into the web page without any sanitization or encoding, allowing an attacker to inject arbitrary HTML and JavaScript code [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL that includes a serviceId parameter containing JavaScript, such as ``. No authentication or authorization is required to trigger the vulnerability; any victim who clicks the crafted link will have the script executed in their browser [1].

Impact

Successful exploitation enables an attacker to steal cookies, session tokens, or other sensitive information from the victim, perform actions on behalf of the victim (such as modifying account settings or initiating transactions), deface the web application, redirect users to malicious sites, or potentially gain control of the victim's browser [1].

Mitigation

Status

As of the publication date, no official patch has been released by code-projects. Administrators should implement proper input validation and output encoding for all user-supplied data, particularly the serviceId parameter, and consider deploying a Web Application Firewall (WAF) as an interim control until a vendor fix is available [1][2].

References

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Code Projects/Simple Laundry Systemllm-fuzzy
Range: = 1.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

Severity

MediumCVSS v3.1

4.3/ 10

CVSS v42.1

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: None
User interaction: Required
Scope: Unchanged
Confidentiality: None
Integrity: Low
Availability: None

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

EPSS

Probability of exploitation in the next 30 days.

0.04%

VYPR risk score

Composite of severity, exploitation, and reach.

0.28low

cvss	0.280
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-94
Improper Control of Generation of Code ('Code Injection')

CVE ID

CVE-2026-6150

Credits

H(
huahuan (VulDB User)
reporter