CVE-2026-0730 is a medium-severity cross-site scripting vulnerability identified in PHPGurukul Staff Leave Management System version 1.0. The vulnerability resides in the ADD_STAFF and UPDATE_STAFF functions of the /staffleave/slms/slms/adminviews.py file, specifically in the SVG File Handler component. The issue arises from improper sanitization of the profile_pic argument, which can be manipulated by an attacker to inject malicious JavaScript code. This injection enables cross-site scripting attacks, allowing an attacker to execute arbitrary scripts in the context of the victim's browser session. The attack vector is remote network access, and exploitation does not require authentication but does require user interaction, such as an administrator or privileged user viewing a crafted page or input. The CVSS 4.0 vector indicates no user confidentiality impact, low integrity impact, and no availability impact, with a base score of 4.8. While no known exploits are currently active in the wild, the presence of a public exploit increases the risk of future attacks. The vulnerability could be leveraged to steal session cookies, perform unauthorized actions on behalf of the user, or conduct phishing attacks within the application context. The lack of official patches necessitates immediate mitigation through input validation and output encoding. This vulnerability highlights the importance of secure coding practices, especially in handling file uploads and user-supplied data in web applications.

The primary impact of CVE-2026-0730 is the potential compromise of user sessions and unauthorized actions within the Staff Leave Management System. Successful exploitation could allow attackers to execute arbitrary scripts in the context of authenticated users, leading to session hijacking, credential theft, or manipulation of leave records and staff data. Although the vulnerability does not directly affect system availability or confidentiality at a broad scale, the integrity of administrative functions is at risk. Organizations relying on this system for staff management may face operational disruptions, data integrity issues, and reputational damage if attackers exploit this flaw. The requirement for user interaction and high privileges limits the attack scope but does not eliminate risk, especially in environments with multiple administrators or shared credentials. The absence of known active exploits currently reduces immediate threat but the public availability of exploit code increases the likelihood of targeted attacks. Overall, the vulnerability poses a moderate risk to organizations, particularly those in education or corporate sectors using PHPGurukul's system for staff leave management.

To mitigate CVE-2026-0730, organizations should implement strict input validation and output encoding for the profile_pic parameter and any other user-supplied inputs in the Staff Leave Management System. Specifically, sanitize inputs to disallow embedded scripts or HTML tags in file upload fields and ensure that SVG files are properly validated or restricted to safe content types. Employ Content Security Policy (CSP) headers to reduce the impact of potential XSS by restricting script execution sources. Limit administrative access to trusted personnel and enforce multi-factor authentication to reduce the risk of privilege abuse. Monitor application logs for unusual input patterns or script injection attempts. If possible, isolate the Staff Leave Management System in a segmented network zone to limit lateral movement in case of compromise. Since no official patch is currently available, consider applying custom patches or using web application firewalls (WAFs) with rules targeting XSS payloads in the affected parameters. Regularly review and update security controls and educate administrators about phishing and social engineering risks associated with XSS attacks.