CVE-2026-7116

Vulnerability

Description

A reflected cross-site scripting (XSS) vulnerability exists in code-projects Employee Management System version 1.0. The flaw is located in the file 370project/mark.php, specifically in the handling of the pid query parameter. This parameter is reflected into an HTML hidden input value without proper escaping or sanitization, allowing an attacker to inject arbitrary HTML and JavaScript code [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL containing a specially encoded payload in the pid parameter. For example, a GET request to /mark.php?id=101&pid=%22%3E%3CScRiPt%3Ealert(10)%3C/sCrIpT%3E will cause the injected script to execute when the page is rendered in a victim's browser. The attack does not require authentication and can be carried out remotely, as the endpoint is accessible over HTTP [1].

Impact

Successful exploitation requires an authenticated administrator to visit the malicious link, either via social engineering or other means. Once the script executes, an attacker could steal session cookies or tokens, leading to session hijacking, perform actions on behalf of the admin (account takeover), or manipulate the page content for phishing attacks. The public disclosure of a proof-of-concept exploit code increases the likelihood of active exploitation [1].

Mitigation

As of the publication date, no official patch has been released by the vendor. Users are advised to apply input validation and output encoding for the pid parameter, or consider using a web application firewall (WAF) to block malicious payloads. The vulnerable source code is available from code-projects.org [1][2].