CVE-2026-13504

code-projects Project Management System Mail Compose mail.php cross site scripting

CVSS 5.1 MEDIUMEPSS 0.2%CWE-79 CWE-94

Vexday Risk Score

33Attention

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 5.1EPSS 0.2%KEV nãoPoC públicaNuclei —Metasploit —Patch —

Lifecycle

28 Jun 2026Published on NVD

Recommendation: Plan a near-term fix — a public PoC already exists.

A vulnerability has been found in code-projects Project Management System 1.0. This vulnerability affects unknown code of the file /mail.php of the component Mail Compose Page. Such manipulation leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed to the public and may be used.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

Affected products

code-projects · Project Management System

public PoCs found — 1

cve_referencegithub.com/MyMySSS/CVE123/blob/main/cve4/PMS_CVE_Submission.mdunverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://code-projects.org/https://github.com/MyMySSS/CVE123/blob/main/cve4/PMS_CVE_Submission.md https://vuldb.com/cve/CVE-2026-13504 https://vuldb.com/submit/838683 https://vuldb.com/vuln/374499 https://vuldb.com/vuln/374499/cti