Zero Day MonitorZDM

← Back to list

6.1

CVE-2026-30526

SourceCodester · Zoo Management System

A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Zoo Management System v1.0. The vulnerability is located in the login page, specifically within the msg parameter. The app

Description

A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Zoo Management System v1.0. The vulnerability is located in the login page, specifically within the msg parameter. The application reflects the content of the msg parameter back to the user without proper HTML encoding or sanitization. This allows remote attackers to inject arbitrary web script or HTML via a crafted URL.

Affected Products

Vendor	Product	Versions
SourceCodester	Zoo Management System	1.0

References

https://github.com/meifukun/Web-Security-PoCs/blob/main/Zoo-Management-System/Reflected-XSS-Login-msg.md

Related News (1 articles)

Tier C

VulDB22h ago

CVE-2026-30526 | SourceCodester Zoo Management System 1.0 msg cross site scripting (EUVD-2026-17899)

→ No new info (linked only)

CVSS 3.16.1 MEDIUM

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA KEV❌ No

Actively exploited❌ No

CWECWE-79

PublishedApr 1, 2026

Last enriched17h agov2

Trending Score21

Source articles1

Independent1

Info Completeness8/14

Missing: epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-30573

A Business Logic vulnerability exists in SourceCodester Pharmacy Product Management System 1.0. The vulnerability is located in the add-sales.php file. The application fails to validate the "txtprice"

MEDIUMCVE-2026-30523

A Business Logic vulnerability exists in SourceCodester Loan Management System v1.0 due to the lack of proper input validation. The application allows administrators to define "Loan Plans" which deter

MEDIUMCVE-2026-5330

SourceCodester/mayuri_k Best Courier Management System User Delete ajax.php access control

MEDIUMCVE-2026-5326

SourceCodester Leave Application System User Information index.php authorization

NONECVE-2026-5325

SourceCodester Simple Customer Relationship Management System Create Ticket create-ticket.php cross site scripting

Pin to Dashboard

Verification

State: verified

Confidence: 100%

Vulnerability Timeline

CVE Published

Apr 1, 2026

Discovered by ZDM

Apr 1, 2026

Updated: vendor, product, affectedVersions

Apr 1, 2026

Version History

v2

Last enriched 17h ago

v2Tier C17h ago

Updated vendor and product information, changed severity to HIGH, and clarified exploit availability.

vendorproductaffectedVersions

via VulDB

v119h ago

Initial creation