CVE-2026-6622

Vulnerability

Analysis

The vulnerability is a stored cross-site scripting (XSS) flaw, identified as CWE-79, in BichitroGan ISP Billing Software version 2025.3.20 [1]. The software fails to sanitize user-supplied input in the fullname and address parameters when editing customer records via the /customers/edit/{id} endpoint. Input is stored in the database and later rendered on the customer listing page without proper HTML encoding or output escaping [1]. This allows attackers to inject arbitrary JavaScript that executes in the browser of any user viewing the affected pages.

Exploitation

The attack requires authentication as a user or administrator [1]. The attacker navigates to the customer edit page, inserts a JavaScript payload (e.g., ``) into the Full Name or Home Address field, and saves the changes [1]. When an administrator or other user visits the customer list page, the stored script executes in their browser [1]. The injection point is persistent, so the payload remains active until manually removed.

Impact

Successful exploitation enables attacker-controlled JavaScript execution in the victim's session context. This could lead to session hijacking, credential theft, unauthorized actions performed on behalf of the victim, or application defacement [1]. If an administrator views the malicious content, the attacker may gain additional privileges or perform lateral movement within the application [1]. Although the vendor has not responded to disclosure, the exploit is publicly available [1].

Mitigation

The vendor has not released a patch, as they did not respond to the disclosure [1]. Administrators should apply input validation and output encoding manually, such as using htmlspecialchars() with appropriate flags, implement strict input validation, and deploy Content Security Policy (CSP) headers to reduce the impact [1]. Given that the proof of concept is public, organizations using this software should treat the vulnerability with priority despite the low CVSS base score.