PatchSiren cyber security CVE debrief
CVE-2026-30526 Pushpam02 CVE debrief
CVE-2026-30526 is a reflected cross-site scripting issue in Zoo Management System v1.0’s login page. The application reflects the `msg` parameter back to the browser without proper HTML encoding or sanitization, allowing a remote attacker to inject script or HTML through a crafted URL.
- Vendor
- Pushpam02
- Product
- CVE-2026-30526
- CVSS
- MEDIUM 6.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-01
- Original CVE updated
- 2026-05-10
- Advisory published
- 2026-04-01
- Advisory updated
- 2026-05-10
Who should care
Administrators, developers, and security teams responsible for SourceCodester Zoo Management System v1.0 should care, especially if the login page is internet-facing or used by multiple users. Any environment that trusts reflected content from the `msg` parameter is exposed to browser-side code execution risks.
Technical summary
NVD classifies the issue as CWE-79 and assigns CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, which indicates network reachability, no privileges required, and user interaction required. The vulnerable CPE in the official record is `cpe:2.3:a:pushpam02:zoo_management_system:1.0:*:*:*:*:*:*:*`. The flaw is specifically described as a reflected XSS condition in the login page `msg` parameter, where untrusted input is echoed back without safe output encoding.
Defensive priority
Medium priority. Because exploitation only requires a crafted link and user interaction, it can still affect any exposed login flow. Remediate promptly for public-facing deployments, and prioritize any instance where the login page is frequently used or embedded in broader workflows.
Recommended defensive actions
- Treat all values from the `msg` parameter as untrusted and HTML-encode them before rendering.
- Avoid directly reflecting user-controlled input into the login page; use fixed messages or server-side mappings where possible.
- Validate the parameter against a strict allowlist if it is only meant to carry known status values.
- Review the login page and nearby templates for any other reflected inputs that may share the same pattern.
- Add defense-in-depth controls such as a restrictive Content Security Policy and secure cookie settings.
- Upgrade or replace the affected application version if the vendor provides a corrected release.
Evidence notes
The official CVE record and NVD detail identify CVE-2026-30526 as a reflected XSS issue affecting Zoo Management System v1.0. The NVD metadata states the weakness as CWE-79 and provides the CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The official NVD source also lists the vulnerable CPE for `pushpam02:zoo_management_system:1.0`. A third-party GitHub reference is included by MITRE/NVD as an external advisory reference; no exploit details are included here.
Official resources
-
CVE-2026-30526 CVE record
CVE.org
-
CVE-2026-30526 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory
Publicly disclosed on 2026-04-01 and modified in the official record on 2026-05-10.