CVE-2026-32844
MEDIUMXinLiangCoder / php_api_doc Reflected XSS via list_method.php
Title source: cnaDescription
XinLiangCoder php_api_doc through commit 1ce5bbf contains a reflected cross-site scripting vulnerability in list_method.php that allows remote attackers to execute arbitrary JavaScript in a victim's browser by injecting malicious code through the f parameter. Attackers can craft a malicious URL with unsanitized input in the GET request parameter that is output directly to the page without proper neutralization, enabling session hijacking, credential theft, or malware distribution within the application context.
References (2)
Core 2
Core References
Product product
https://github.com/XinLiangCoder/php_api_doc/tree/1ce5bbf1429c077d6e3f0860098099d272e3f3c2
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/xinliangcoder-php-api-doc-reflected-xss-via-list-method-php
Scores
CVSS v3
6.1
EPSS
0.0026
EPSS Percentile
16.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (3)
XinLiangCoder/php_api_doc
< 1ce5bbf1429c077d6e3f0860098099d272e3f3c2
xinliangcoder/php_api_doc
< 2019-03-24
XinLiangCoder/php_api_doc
< commit 1ce5bbf
Published
Mar 20, 2026
Tracked Since
Mar 20, 2026