Cross-Site Scripting Vulnerability in SourceCodester Simple Responsive Tourism Website
CVE-2026-2160

5.3MEDIUM

Key Information:

Vendor

Sourcecodester
Status
Simple Responsive Tourism Website
Vendor
CVE Published:
8 February 2026

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2026-2160?

A vulnerability exists in the SourceCodester Simple Responsive Tourism Website version 1.0, specifically affecting the save_package function located in /tourism/classes/Master.php. This vulnerability enables an attacker to exploit the argument 'Title' to execute arbitrary scripts in the context of the user's browser. This can lead to session hijacking, data theft, and other malicious activities. The exploit is remotely executable, and details have been made publicly available, increasing the risk for users of this web application.

Affected Version(s)

Simple Responsive Tourism Website 1.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-2160 - Proof of Concept

References

https://vuldb.com/?id.344862
vdb-entrytechnical-description
https://vuldb.com/?ctiid.344862
signaturepermissions-required
https://vuldb.com/?submit.751016
third-party-advisory

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Choco094late (VulDB User)
.