CVE-2026-2159 is a cross-site scripting vulnerability affecting SourceCodester Simple Responsive Tourism Website version 1.0. The vulnerability resides in the Registration component, specifically within the /tourism/classes/Master.php?f=register file. The flaw arises due to insufficient input validation or output encoding of user-supplied parameters: firstname, lastname, and username. An attacker can craft malicious input to inject arbitrary JavaScript code, which is then executed in the context of other users viewing the affected pages. The vulnerability is remotely exploitable without requiring authentication, but it does require user interaction, such as clicking a crafted link or submitting a malicious form. The CVSS 4.0 base score is 5.3 (medium severity), reflecting the moderate impact on confidentiality and integrity with no impact on availability. The vulnerability does not require privileges or user consent beyond interaction, and no scope change occurs. Although no patches or official fixes are currently listed, a public exploit exists, increasing the risk of exploitation. This type of XSS can lead to session hijacking, credential theft, or redirection to malicious sites, undermining user trust and website integrity.

The exploitation of this XSS vulnerability can have several impacts on organizations deploying the affected software. Attackers can execute arbitrary scripts in users' browsers, potentially stealing session cookies, login credentials, or other sensitive information. This can lead to unauthorized access to user accounts and data breaches. Additionally, attackers may deface the website or redirect users to phishing or malware-laden sites, damaging the organization's reputation and user trust. For tourism websites, which often handle personal data and booking information, such breaches can have financial and legal consequences. The vulnerability's remote exploitability and lack of authentication requirement increase the risk of widespread attacks, especially if the software is used by multiple organizations without timely remediation. While availability is not directly impacted, the indirect effects on business continuity and user confidence can be significant.

To mitigate CVE-2026-2159, organizations should first verify if they are using SourceCodester Simple Responsive Tourism Website version 1.0 or any affected versions. Since no official patch is currently available, immediate mitigation steps include implementing robust input validation and output encoding on the firstname, lastname, and username parameters within the registration component. Employing a web application firewall (WAF) with rules to detect and block common XSS payloads can provide temporary protection. Additionally, applying Content Security Policy (CSP) headers can reduce the impact of successful XSS by restricting script execution sources. Educating users to avoid clicking suspicious links and monitoring web logs for unusual activity related to the registration endpoint can help detect exploitation attempts. Organizations should also track vendor updates for official patches and apply them promptly once released. Finally, conducting regular security assessments and code reviews can prevent similar vulnerabilities in future development.