CVE Catalog

CVE-2026-32843

MediumCVSS 5.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.45%

37th percentile - higher than 37% of all known CVEs

Summary

A reflected XSS vulnerability in the Location Aware Sensor System by Linkit ONE (up to commit f06bd20, 2023-04-26) exists in the PM25.php file. Attackers can inject malicious JavaScript into GET parameters (site, city, district, channel, apikey), leading to script execution in victims' browsers.

Risk Assessment

The risk includes session hijacking, redirection to malicious sites, or theft of user credentials from victims visiting a crafted URL.

Recommendation

Immediately update the system to a version after commit f06bd20 and apply output encoding for all GET parameters in PM25.php.

Original NVD description (English source)

Location Aware Sensor System by Linkit ONE, up to commit f06bd20 (2023-04-26), contains a reflected cross-site scripting vulnerability in the PM25.php file that allows remote attackers to execute arbitrary JavaScript by injecting malicious code into GET parameters. Attackers can craft a malicious URL containing unencoded payloads in the site, city, district, channel, or apikey parameters to execute scripts in victims' browsers when they visit the page.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS