CVE-2026-7090

Vulnerability

Overview

A stored cross-site scripting (XSS) vulnerability exists in code-projects Chat System 1.0, affecting the chat interface. The flaw resides in the file /admin/send_message.php, where the msg POST parameter is inserted directly into the database without any sanitization or encoding [1]. The official description confirms the manipulation of the msg argument leads to XSS, and the exploit is publicly available.

Attack

Vector and Exploitation

The attack requires a valid user session (Low privileges) and user interaction—the victim must open the chatroom. The injection occurs at /admin/send_message.php, and the stored payload executes when /admin/fetch_chat.php renders messages without output encoding [1]. Both the message and uname fields are echoed unsafely, allowing persistent payloads to affect all users, including administrators, who view the chatroom.

Impact

An attacker can inject arbitrary JavaScript that executes in the context of any user viewing the chatroom. This can lead to session hijacking, defacement, or redirection to malicious sites. The CVSS v3.1 score of 8.7 (High) reflects the network attack vector, low complexity, and potential for high impact to confidentiality and integrity [1].

Mitigation

Status

As of the publication date, the vendor has not released a patch, and the vulnerability remains unpatched [1]. Users should apply input validation and output encoding (e.g., htmlspecialchars()) to the affected parameters, or restrict access to the chat functionality until a fix is available.