CVE-2026-2160 is a cross-site scripting vulnerability identified in version 1.0 of the SourceCodester Simple Responsive Tourism Website. The vulnerability resides in the handling of the Title parameter within the /tourism/classes/Master.php?f=save_package endpoint. Due to insufficient input sanitization, an attacker can inject malicious JavaScript code that executes in the context of the victim's browser when the crafted input is rendered. This type of vulnerability enables attackers to perform actions such as session hijacking, defacement, or redirecting users to malicious sites. The vulnerability is remotely exploitable without requiring authentication, but user interaction is necessary to trigger the malicious script. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction required for the attack initiation (UI:P), and limited impact on confidentiality and integrity (VC:N, VI:L). Although no public exploits are currently known to be in the wild, the public disclosure increases the risk of exploitation by opportunistic attackers. The affected product is a niche tourism website solution, which may be used by small to medium enterprises in the tourism sector. The lack of available patches or updates necessitates immediate mitigation efforts by affected organizations.

For European organizations, the impact of this XSS vulnerability can be significant, particularly for those operating tourism-related websites or services using the affected SourceCodester product. Exploitation could lead to theft of session cookies, enabling attackers to impersonate legitimate users, potentially accessing sensitive customer data or administrative functions. This could result in reputational damage, loss of customer trust, and regulatory penalties under GDPR if personal data is compromised. Additionally, attackers could deface websites or redirect visitors to malicious sites, harming business operations and customer experience. Given the tourism sector's importance in many European economies, especially in countries like Spain, Italy, and France, successful exploitation could disrupt business continuity and impact revenue. The vulnerability's medium severity reflects moderate risk, but the ease of remote exploitation without authentication increases its attractiveness to attackers.

To mitigate CVE-2026-2160, organizations should implement strict input validation on the Title parameter to ensure that no executable scripts can be injected. Employing server-side sanitization libraries that neutralize HTML and JavaScript content is critical. Additionally, output encoding should be applied when rendering user-supplied data to prevent script execution in browsers. Implementing a robust Content Security Policy (CSP) can further reduce the risk by restricting the sources from which scripts can be loaded and executed. Organizations should monitor web application logs for suspicious input patterns and consider deploying Web Application Firewalls (WAFs) with rules targeting XSS payloads. Since no official patches are currently available, these mitigations are essential interim controls. Finally, educating web developers on secure coding practices and conducting regular security assessments of web applications will help prevent similar vulnerabilities.