CVE-2023-53870

MEDIUM

Jorani 1.0.3 - Reflected Cross-Site Scripting via Language Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-53870. PoCs published by nu11secur1ty.

AI-analyzed exploit summary This exploit demonstrates a reflected XSS vulnerability in Jorani v1.0.3 by injecting a malicious script into the 'language' parameter, which is echoed unmodified in the application's response. It also highlights an information disclosure issue via PHP errors.

Description

Jorani 1.0.3 contains a reflected cross-site scripting vulnerability in the language parameter that allows attackers to inject malicious scripts. Attackers can craft XSS payloads in the language parameter to execute arbitrary JavaScript and potentially steal user session information.

Exploits (1)

exploitdb WORKING POC
by nu11secur1ty · textwebappsphp
https://www.exploit-db.com/exploits/51715

This exploit demonstrates a reflected XSS vulnerability in Jorani v1.0.3 by injecting a malicious script into the 'language' parameter, which is echoed unmodified in the application's response. It also highlights an information disclosure issue via PHP errors.

Classification
Working Poc 90%
Attack Type
Xss | Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Jorani v1.0.3
No auth needed
Prerequisites: Access to the login page of the target application
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/51715
Various Sources product
https://jorani.org/

Scores

CVSS v4 5.1
EPSS 0.0005
EPSS Percentile 16.7%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
Jorani/Jorani 1.0.3
Published Dec 15, 2025
Tracked Since Feb 18, 2026