CVE-2026-32844 MEDIUM

CVE-2026-32844: XinLiangCoder / php_api_doc Reflected XSS via list_method.php

Vendor Xinliangcoder

Product php_api_doc

Weakness CWE-79 · XSS

Published March 20, 2026

Last update March 23, 2026

View on NVD All CVEs

CVSS base score

5.1/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

Description

XinLiangCoder php_api_doc through commit 1ce5bbf contains a reflected cross-site scripting vulnerability in list_method.php that allows remote attackers to execute arbitrary JavaScript in a victim's browser by injecting malicious code through the f parameter. Attackers can craft a malicious URL with unsanitized input in the GET request parameter that is output directly to the page without proper neutralization, enabling session hijacking, credential theft, or malware distribution within the application context.

Key dates

Disclosure timeline

March 20, 2026 CVE published

March 23, 2026 Record updated

Identifiers

CVE CVE-2026-32844

CWE CWE-79

CVSS 5.1 / MEDIUM

Affected versions

Vendor Xinliangcoder

Product php_api_doc

Affected ≤ 1ce5bbf1429c077d6e3f0860098099d272e3f3c2