CVE-2026-7089

Vulnerability

Overview

A stored cross-site scripting (XSS) vulnerability has been identified in code-projects Home Service System 1.0. The flaw resides in the /booking.php file, specifically within the Appointment Booking component. The fname and lname parameters lack proper sanitization, allowing an attacker to inject arbitrary JavaScript payloads. The malicious script is stored in the database and later rendered without output encoding in the admin panel (admin.php) under the Manage Booking section [1].

Exploitation

No authentication is required to trigger the vulnerability. An unauthenticated attacker can submit a booking request containing a crafted payload in the first or last name fields. When an administrator views the Manage Booking page, the stored payload executes in their browser context. The attack is remotely exploitable over the network [1]. The attacker can use a simple image request to exfiltrate the administrator's session cookie to an attacker-controlled listener [1].

Impact

Successful exploitation gives a remote unauthenticated attacker the ability to steal the admin session cookie (PHPSESSID), hijack the administrative session, and gain full control over the Home Service System. The attacker can then perform any administrative action, including managing bookings, providers, and other system settings, effectively compromising the entire application [1].

Mitigation

As of the publication date (April 27, 2026), the vulnerability has been publicly disclosed with a proof of concept. The vendor, code-projects.org, has not released a patched version. Users of Home Service System 1.0 are advised to implement input validation and output encoding for all user-supplied data in the booking form, or restrict access to the admin panel until a fix is available [1][2].