CVE-2026-32844

MEDIUM 6.1

XinLiangCoder / php_api_doc Reflected XSS via list_method.php

CVSS Score

6.1

EPSS Score

0.0%

EPSS Percentile

0th

XinLiangCoder php_api_doc through commit 1ce5bbf contains a reflected cross-site scripting vulnerability in list_method.php that allows remote attackers to execute arbitrary JavaScript in a victim's browser by injecting malicious code through the f parameter. Attackers can craft a malicious URL with unsanitized input in the GET request parameter that is output directly to the page without proper neutralization, enabling session hijacking, credential theft, or malware distribution within the application context.

CWE	CWE-79
Vendor	xinliangcoder
Product	php_api_doc
Published	Mar 20, 2026
Last Updated	Mar 23, 2026

Stay Ahead of the Next One

Get instant alerts for xinliangcoder php_api_doc

Be the first to know when new medium vulnerabilities affecting xinliangcoder php_api_doc are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Affected Versions

XinLiangCoder / php_api_doc

0 ≤ 1ce5bbf1429c077d6e3f0860098099d272e3f3c2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/XinLiangCoder/php_api_doc/tree/1ce5bbf1429c077d6e3f0860098099d272e3f3c2 vulncheck.com: https://www.vulncheck.com/advisories/xinliangcoder-php-api-doc-reflected-xss-via-list-method-php

Credits

philopentest