CVE-2026-32844

MEDIUM EPSS 17.0%
Published Mar 20, 20263mo ago · Modified Jun 17, 20261w ago
5.1 CVSS 4.0
Medium
Find Similar
Published Mar 20, 2026 3mo ago
Last Modified Jun 17, 2026 1w ago

Description

XinLiangCoder php_api_doc through commit 1ce5bbf contains a reflected cross-site scripting vulnerability in list_method.php that allows remote attackers to execute arbitrary JavaScript in a victim's browser by injecting malicious code through the f parameter. Attackers can craft a malicious URL with unsanitized input in the GET request parameter that is output directly to the page without proper neutralization, enabling session hijacking, credential theft, or malware distribution within the application context.

CVSS Details

Base Score
5.1
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction A
Scope X

Threat Intelligence

EPSS Exploit Probability
17.0% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 1

VendorProductVersionRange
xinliangcoderphp_api_doc* ≤2019-03-24

References 2

  • github.com https://github.com/XinLiangCoder/php_api_doc/tree/1ce5bbf1429c077d6e3f0860098099d272e3f3c2
    Patch
  • vulncheck.com https://www.vulncheck.com/advisories/xinliangcoder-php-api-doc-reflected-xss-via-list-method-php
    Third Party AdvisoryVDB Entry

Remediation

  • github.com https://github.com/XinLiangCoder/php_api_doc/tree/1ce5bbf1429c077d6e3f0860098099d272e3f3c2
    Patch