CVE-2026-7090 | THREATINT

Description

A vulnerability was detected in code-projects Chat System 1.0. This affects an unknown function of the file /admin/send_message.php of the component Chat Interface. The manipulation of the argument msg results in cross site scripting. The attack may be launched remotely. The exploit is now public and may be used.

PUBLISHED Reserved 2026-04-26 | Published 2026-04-27 | Updated 2026-04-27 | Assigner VulDB

MEDIUM: 4.8CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

LOW: 2.4CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R

LOW: 2.4CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R

3.3AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR

Problem types

Cross Site Scripting

Code Injection

Product status

1.0

affected

Timeline

2026-04-26:	Advisory disclosed
2026-04-26:	VulDB entry created
2026-04-26:	VulDB entry last update

Credits

c4ttr4ck (VulDB User) reporter

References

vuldb.com/vuln/359665 (VDB-359665 | code-projects Chat System send_message.php cross site scripting) vdb-entry technical-description

vuldb.com/vuln/359665/cti (VDB-359665 | CTI Indicators (IOB, IOC, TTP, IOA)) signature permissions-required

vuldb.com/submit/800383 (Submit #800383 | code-projects Chat System Using PHP 1.0 Stored Cross-Site Scripting (XSS)) third-party-advisory

gist.github.com/higordiego/4683bee16b197643744159b76d0c1ea6 exploit

code-projects.org/ product

cve.org (CVE-2026-7090)

nvd.nist.gov (CVE-2026-7090)

Download JSON