CVE-2026-1444 identifies a cross-site scripting vulnerability in the iJason-Liu Books_Manager software, affecting the add_book_check.php file, specifically through the 'mark' parameter. This vulnerability allows an attacker to inject malicious scripts that execute in the context of the victim's browser when they interact with crafted input. The flaw stems from insufficient input validation or output encoding, enabling script injection. The attack vector is network-based, requiring no authentication but user interaction to trigger the malicious payload. The vulnerability has been publicly disclosed, but no confirmed active exploitation has been reported. The software does not use versioning, making it difficult to determine all affected instances. The CVSS 4.0 vector indicates low attack complexity, no privileges required, but user interaction is necessary. The impact primarily affects confidentiality and integrity by potentially stealing session tokens or manipulating page content, with no direct availability impact. The lack of patch links suggests that no official fix has been released yet, increasing the urgency for organizations to implement mitigations.

This XSS vulnerability can lead to theft of sensitive user information such as session cookies, credentials, or personal data, enabling account hijacking or unauthorized actions within the Books_Manager application. It can also facilitate phishing attacks by injecting deceptive content or redirecting users to malicious sites. For organizations, this can result in data breaches, loss of user trust, and potential regulatory penalties if personal data is compromised. Since the vulnerability requires user interaction, the scope is somewhat limited but remains significant in environments where users frequently interact with the affected application. The absence of versioning and patches increases the risk of prolonged exposure. Attackers could leverage this vulnerability as an initial foothold or part of a broader attack chain, especially in organizations relying heavily on this software for book management or related workflows.

Organizations should immediately implement strict input validation and output encoding on the 'mark' parameter and any other user-supplied inputs within the Books_Manager application to prevent script injection. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Conduct thorough code reviews focusing on input handling in add_book_check.php and related modules. If possible, isolate or restrict access to the Books_Manager application to trusted users and networks until a vendor patch is available. Educate users about the risks of clicking on suspicious links or inputs within the application. Monitor web application logs for unusual input patterns or attempted script injections. Consider deploying Web Application Firewalls (WAFs) with rules targeting XSS payloads specific to this vulnerability. Engage with the vendor or community to track patch releases and apply updates promptly once available.