Home

Description

PHP Melody version 3.0 contains multiple non-persistent cross-site scripting vulnerabilities in categories, import, and user import files. Attackers can inject malicious scripts through unvalidated parameters to execute client-side attacks and potentially hijack user sessions.

PUBLISHED Reserved 2026-02-01 | Published 2026-02-01 | Updated 2026-02-03 | Assigner VulnCheck




MEDIUM: 5.1CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
MEDIUM: 6.4CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Problem types

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

Default status
unaffected

3.0
affected

Credits

Vulnerability-Lab [Research Team] finder

References

www.vulnerability-lab.com/get_content.php?id=2290 exploit

www.vulnerability-lab.com/get_content.php?id=2290 (Vulnerability Lab Advisory) exploit

www.phpsugar.com/...php-melody-3-0-vulnerability-report-fix/ (Vulnerability Lab Advisory) patch

www.phpsugar.com/phpmelody.html (Product Homepage) product

www.vulncheck.com/...-site-scripting-via-multiple-parameters (VulnCheck Advisory: PHP Melody 3.0 Non-Persistent Cross-Site Scripting via Multiple Parameters) third-party-advisory

cve.org (CVE-2021-47912)

nvd.nist.gov (CVE-2021-47912)

Download JSON