CVE-2026-0642 is a cross-site scripting vulnerability identified in version 1.0 of the projectworlds House Rental and Property Listing application. The flaw exists in the processing of the 'Name' parameter within the /app/complaint.php endpoint, where insufficient input validation allows attackers to inject malicious JavaScript code. This vulnerability can be exploited remotely without authentication, but requires user interaction, such as clicking a crafted link or submitting a manipulated form. The CVSS 4.0 score of 4.8 reflects a medium severity level, indicating moderate impact primarily on confidentiality and integrity, with no direct impact on availability. The vulnerability could enable attackers to execute arbitrary scripts in the context of the victim’s browser, leading to session hijacking, defacement, or phishing attacks. Although no exploits are currently observed in the wild, a public exploit is available, increasing the risk of exploitation. The vulnerability does not require privileges or authentication, making it accessible to a wide range of attackers. The lack of vendor patches or official remediation guidance necessitates immediate defensive measures by users of the software. Given the nature of the application—real estate and property listings—attackers could leverage this vulnerability to target users or administrators, potentially compromising sensitive personal or business information.

For European organizations using projectworlds House Rental and Property Listing 1.0, this vulnerability poses a risk of client-side script injection that can compromise user sessions, steal credentials, or manipulate displayed content. This can lead to reputational damage, loss of customer trust, and potential regulatory penalties under GDPR if personal data is exposed or misused. Real estate platforms often handle sensitive personal and financial information, increasing the stakes of such an attack. The medium severity rating suggests that while the vulnerability is not critical, it can be leveraged as part of a broader attack chain. European organizations with public-facing property listing portals are particularly at risk, especially if they lack robust input validation or web application firewalls. The requirement for user interaction means social engineering or phishing campaigns could be used to exploit this vulnerability, potentially targeting employees or customers. The absence of known active exploitation reduces immediate urgency but does not eliminate the threat, especially given the public availability of exploits.

Organizations should implement strict input validation and output encoding on the 'Name' parameter and all user-supplied data to prevent script injection. Deploying a web application firewall (WAF) with rules tailored to detect and block XSS payloads can provide an additional layer of defense. Since no official patches are available, consider isolating or restricting access to the vulnerable complaint.php endpoint where feasible. Conduct security awareness training to educate users about the risks of clicking suspicious links or submitting untrusted data. Regularly monitor logs for unusual activity related to the complaint.php page. If possible, upgrade to a newer, patched version of the software or apply custom patches to sanitize inputs. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. Finally, perform periodic security assessments and penetration testing focused on web application vulnerabilities to detect similar issues proactively.