CVE-2026-2160: Tourism Website XSS Vulnerability

CVE-2026-2160 Overview

A Cross-Site Scripting (XSS) vulnerability has been identified in SourceCodester Simple Responsive Tourism Website version 1.0. This vulnerability exists in the package management functionality, specifically within the file /tourism/classes/Master.php?f=save_package. The flaw allows remote attackers to inject malicious scripts through the Title argument parameter due to insufficient input validation and output encoding.

Critical Impact
Remote attackers can execute arbitrary JavaScript code in victims' browsers, potentially leading to session hijacking, credential theft, defacement, or malware distribution targeting users of affected tourism websites.

Affected Products

SourceCodester Simple Responsive Tourism Website 1.0
Installations using the Master.php package save functionality
Web applications built on the oretnom23 Simple Responsive Tourism Website codebase

Discovery Timeline

February 8, 2026 - CVE-2026-2160 published to NVD
February 10, 2026 - Last updated in NVD database

Technical Details for CVE-2026-2160

Vulnerability Analysis

This Cross-Site Scripting vulnerability exists in the package management feature of the Simple Responsive Tourism Website application. The vulnerable endpoint /tourism/classes/Master.php?f=save_package accepts user-supplied input through the Title parameter without proper sanitization or encoding. When this unsanitized input is rendered in the application's response, any embedded JavaScript code executes in the context of the victim's browser session.

The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), which describes the fundamental weakness of accepting user input and including it in output without proper encoding. This allows attackers to craft malicious payloads that are stored or reflected back to other users.

Root Cause

The root cause of this vulnerability is the absence of proper input validation and output encoding in the Master.php file when handling the Title parameter in the save_package function. The application fails to sanitize special HTML characters such as <, >, ", and ' before storing or displaying the package title, allowing script tags and JavaScript event handlers to be interpreted as executable code rather than plain text.

Attack Vector

The attack vector is network-based and requires user interaction to execute successfully. An attacker can exploit this vulnerability by submitting a specially crafted package title containing malicious JavaScript code through the vulnerable endpoint. When an administrator or user views the affected package entry, the injected script executes in their browser context.

The exploitation scenario typically follows this pattern:

The attacker accesses the package creation or editing functionality
A malicious payload is injected into the Title field (e.g., containing script tags or event handlers)
The malicious content is saved to the application database
When other users (including administrators) view the package listing, the stored XSS payload executes
The attacker can then steal session cookies, redirect users to phishing sites, or perform actions on behalf of the victim

For detailed technical analysis and proof of concept, refer to the GitHub CVE Report and the VulDB advisory.

Detection Methods for CVE-2026-2160

Indicators of Compromise

Unusual JavaScript code or HTML tags appearing in package title fields within the database
Suspicious entries in web server access logs showing encoded script payloads in POST data to /tourism/classes/Master.php?f=save_package
User reports of unexpected browser behavior, pop-ups, or redirects when viewing package listings
Abnormal outbound connections from client browsers to unknown external domains

Detection Strategies

Implement Web Application Firewall (WAF) rules to detect common XSS patterns in request parameters, particularly targeting the Title field
Deploy log monitoring to identify POST requests to Master.php containing encoded script tags (%3Cscript%3E, %3C/script%3E) or event handlers (onerror=, onload=)
Utilize browser-based Content Security Policy (CSP) violation reporting to identify script execution from unexpected sources
Conduct regular database audits to search for HTML/JavaScript content in fields that should contain plain text

Monitoring Recommendations

Enable detailed logging for all requests to /tourism/classes/Master.php and review for suspicious payloads
Set up alerts for CSP violations that may indicate attempted XSS exploitation
Monitor for unusual session activity patterns that could indicate session hijacking following successful XSS attacks
Implement real-time scanning of user input for known XSS payload signatures

How to Mitigate CVE-2026-2160

Immediate Actions Required

Restrict access to the package management functionality (/tourism/classes/Master.php?f=save_package) to trusted administrators only
Implement Web Application Firewall rules to block requests containing script tags or JavaScript event handlers in the Title parameter
Audit existing package entries in the database for potentially malicious content and sanitize any suspicious data
Enable Content Security Policy headers to mitigate the impact of any successful XSS attacks

Patch Information

As of the last update on February 10, 2026, no official patch has been released by the vendor for this vulnerability. Organizations using this software should monitor the SourceCodester website for security updates and consider implementing the workarounds below until an official fix is available.

Additional vulnerability details can be found in the VulDB CTI advisory.

Workarounds

Apply input validation on the server-side to reject or sanitize HTML and JavaScript content in the Title parameter
Implement output encoding (HTML entity encoding) when displaying package titles to prevent script execution
Add HTTP-only and Secure flags to session cookies to limit the impact of potential session theft
Deploy a Content Security Policy header with strict script-src directives to prevent inline script execution

bash

# Example Apache .htaccess configuration to add security headers
<IfModule mod_headers.c>
    # Content Security Policy to mitigate XSS
    Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'"
    
    # Additional security headers
    Header set X-Content-Type-Options "nosniff"
    Header set X-XSS-Protection "1; mode=block"
    Header set X-Frame-Options "SAMEORIGIN"
</IfModule>

CVE-2026-2160 Overview

Critical Impact
Remote attackers can execute arbitrary JavaScript code in victims' browsers, potentially leading to session hijacking, credential theft, defacement, or malware distribution targeting users of affected tourism websites.

Affected Products

SourceCodester Simple Responsive Tourism Website 1.0
Installations using the Master.php package save functionality
Web applications built on the oretnom23 Simple Responsive Tourism Website codebase

Discovery Timeline

February 8, 2026 - CVE-2026-2160 published to NVD
February 10, 2026 - Last updated in NVD database

Technical Details for CVE-2026-2160

Vulnerability Analysis

Root Cause

Attack Vector

The exploitation scenario typically follows this pattern:

The attacker accesses the package creation or editing functionality
A malicious payload is injected into the Title field (e.g., containing script tags or event handlers)
The malicious content is saved to the application database
When other users (including administrators) view the package listing, the stored XSS payload executes
The attacker can then steal session cookies, redirect users to phishing sites, or perform actions on behalf of the victim

For detailed technical analysis and proof of concept, refer to the GitHub CVE Report and the VulDB advisory.

Detection Methods for CVE-2026-2160

Indicators of Compromise

Unusual JavaScript code or HTML tags appearing in package title fields within the database
Suspicious entries in web server access logs showing encoded script payloads in POST data to /tourism/classes/Master.php?f=save_package
User reports of unexpected browser behavior, pop-ups, or redirects when viewing package listings
Abnormal outbound connections from client browsers to unknown external domains

Detection Strategies

Implement Web Application Firewall (WAF) rules to detect common XSS patterns in request parameters, particularly targeting the Title field
Deploy log monitoring to identify POST requests to Master.php containing encoded script tags (%3Cscript%3E, %3C/script%3E) or event handlers (onerror=, onload=)
Utilize browser-based Content Security Policy (CSP) violation reporting to identify script execution from unexpected sources
Conduct regular database audits to search for HTML/JavaScript content in fields that should contain plain text

Monitoring Recommendations

Enable detailed logging for all requests to /tourism/classes/Master.php and review for suspicious payloads
Set up alerts for CSP violations that may indicate attempted XSS exploitation
Monitor for unusual session activity patterns that could indicate session hijacking following successful XSS attacks
Implement real-time scanning of user input for known XSS payload signatures

How to Mitigate CVE-2026-2160

Immediate Actions Required

Restrict access to the package management functionality (/tourism/classes/Master.php?f=save_package) to trusted administrators only
Implement Web Application Firewall rules to block requests containing script tags or JavaScript event handlers in the Title parameter
Audit existing package entries in the database for potentially malicious content and sanitize any suspicious data
Enable Content Security Policy headers to mitigate the impact of any successful XSS attacks

Patch Information

Additional vulnerability details can be found in the VulDB CTI advisory.

Workarounds

Apply input validation on the server-side to reject or sanitize HTML and JavaScript content in the Title parameter
Implement output encoding (HTML entity encoding) when displaying package titles to prevent script execution
Add HTTP-only and Secure flags to session cookies to limit the impact of potential session theft
Deploy a Content Security Policy header with strict script-src directives to prevent inline script execution

bash

# Example Apache .htaccess configuration to add security headers
<IfModule mod_headers.c>
    # Content Security Policy to mitigate XSS
    Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'"
    
    # Additional security headers
    Header set X-Content-Type-Options "nosniff"
    Header set X-XSS-Protection "1; mode=block"
    Header set X-Frame-Options "SAMEORIGIN"
</IfModule>

CVE-2026-2160: Tourism Website XSS Vulnerability

CVE-2026-2160 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-2160

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-2160

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-2160

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2026-2160: Tourism Website XSS Vulnerability

CVE-2026-2160 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-2160

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-2160

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-2160

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform