Medium severity4.3NVD Advisory· Published Apr 28, 2026· Updated Apr 29, 2026

CVE-2026-7230

Description

A vulnerability was found in SourceCodester Safety Anger Pad 1.0. The affected element is an unknown function. The manipulation of the argument angerDisplay results in cross site scripting. The attack may be performed from remote. The exploit has been made public and could be used.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cross-site scripting (XSS) vulnerability in SourceCodester Safety Anger Pad 1.0 via the angerDisplay parameter allows remote unauthenticated attackers to inject arbitrary web scripts.

Vulnerability

Overview

CVE-2026-7230 describes a reflected cross-site scripting (XSS) flaw in SourceCodester Safety Anger Pad 1.0. The vulnerability resides in an unknown function that processes the angerDisplay argument. Improper sanitization of user-supplied input allows an attacker to inject arbitrary JavaScript or HTML code, which is then executed in the context of the victim's browser session.

Exploitation

Prerequisites

The attack can be performed remotely without authentication. An attacker needs only to craft a malicious URL containing a payload in the angerDisplay parameter and trick a user into clicking it. No special network position is required, as the application is web-based and accessible over HTTP. The exploit has been publicly disclosed, increasing the risk of active exploitation [1].

Impact

Successful exploitation enables an attacker to execute arbitrary scripts in the victim's browser. This can lead to session hijacking, defacement, theft of sensitive data (e.g., cookies, tokens), or redirection to malicious sites. The impact is limited to the user's browser context, but the lack of authentication requirements broadens the potential victim pool.

Mitigation

Status

As of the publication date, no official patch or vendor advisory has been released for Safety Anger Pad 1.0. Users are advised to implement input validation and output encoding for the angerDisplay parameter, or to disable the affected functionality until a fix is provided. The vendor's website [1] hosts the application but does not currently offer a security update.

References

Free Source Code Projects and Tutorials

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Sourcecodester/Safety Anger Padllm-create
Range: =1.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

Severity

MediumCVSS v3.1

4.3/ 10

CVSS v42.1

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: None
User interaction: Required
Scope: Unchanged
Confidentiality: None
Integrity: Low
Availability: None

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

EPSS

Probability of exploitation in the next 30 days.

0.03%

VYPR risk score

Composite of severity, exploitation, and reach.

0.28low

cvss	0.280
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-94
Improper Control of Generation of Code ('Code Injection')

CVE ID

CVE-2026-7230

Credits

KS
Kamran Saifullah (VulDB User)
reporter
VV
VulDB Vulnerability Moderation Team
coordinator