CVE-2026-6162

Vulnerability

Details The vulnerability is a reflected Cross-Site Scripting (XSS) in the file /bwdates-reports-details.php of PHPGurukul Company Visitor Management System v2.0. The fromdate parameter is not properly sanitized, allowing injection of arbitrary HTML/JavaScript. [2]

Exploitation

An attacker can craft a malicious URL containing a script payload in the fromdate parameter. When a victim clicks on the link, the server reflects the payload back in the response, causing it to execute in the victim's browser. No authentication is required for the attack, and the exploit has been publicly disclosed with a proof of concept using alert(document.cookie). [2]

Impact

Successful exploitation allows execution of arbitrary JavaScript in the context of the vulnerable application. This can lead to cookie theft, session hijacking, defacement, or redirection to malicious sites. Since the application is used for visitor management, sensitive data could be exposed. [2]

Mitigation

As of the publication date, no official patch has been released. Users should implement input validation and output encoding for the fromdate parameter. The vendor has been notified via the public disclosure. [2]