CVE-2026-7089

MEDIUM

code-projects Home Service System Appointment Booking booking.php cross site scripting

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-7089. PoCs published by Xmyronn.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2026-7089, a stored XSS vulnerability in Home Service System In PHP 1.0. It includes vulnerability details, affected components, reproduction steps, and remediation guidance.

Description

A security vulnerability has been detected in code-projects Home Service System 1.0. The impacted element is an unknown function of the file /booking.php of the component Appointment Booking. The manipulation of the argument fname/lname leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used.

Exploits (1)

nomisec WRITEUP

by Xmyronn · poc

https://github.com/Xmyronn/CVE-2026-7089-XSS

View Code ZIP pw:eip

This repository provides a detailed technical analysis of CVE-2026-7089, a stored XSS vulnerability in Home Service System In PHP 1.0. It includes vulnerability details, affected components, reproduction steps, and remediation guidance.

Classification

Writeup 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Home Service System In PHP 1.0

No auth needed

Prerequisites: Access to the booking page · Administrator interaction with the admin panel

MITRE ATT&CK

T1059.007 - JavaScript T1189 - Drive-by Compromise

devstral-2 · analyzed Apr 28, 2026 Full analysis →

References (5)

Core 5

Core References

Vdb Entry, Technical Description vdb-entry technical-description

VDB-359664 | code-projects Home Service System Appointment Booking booking.php cross site scripting

https://vuldb.com/vuln/359664

Signature, Permissions Required signature permissions-required

VDB-359664 | CTI Indicators (IOB, IOC, TTP, IOA)

https://vuldb.com/vuln/359664/cti

Third Party Advisory third-party-advisory

Submit #800121 | code-projects Home Service System In PHP 1.0 Cross Site Scripting

https://vuldb.com/submit/800121

Exploit exploit

https://github.com/Xmyronn/home-service-system-unauth-stored-xss-admin-takeover-code-project.org-.git

Product product

https://code-projects.org/

Scores

CVSS v3 4.3

EPSS 0.0038

EPSS Percentile 29.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-79 CWE-94

Status published

Products (1)

code-projects/Home Service System 1.0

Published Apr 27, 2026

Tracked Since Apr 27, 2026