CVE-2026-32843
MediumCVSS 5.1Exploitation Probability (EPSS)
Low risk37th percentile - higher than 37% of all known CVEs
Summary
A reflected XSS vulnerability in the Location Aware Sensor System by Linkit ONE (up to commit f06bd20, 2023-04-26) exists in the PM25.php file. Attackers can inject malicious JavaScript into GET parameters (site, city, district, channel, apikey), leading to script execution in victims' browsers.
Risk Assessment
The risk includes session hijacking, redirection to malicious sites, or theft of user credentials from victims visiting a crafted URL.
Recommendation
Immediately update the system to a version after commit f06bd20 and apply output encoding for all GET parameters in PM25.php.
Original NVD description (English source)
Location Aware Sensor System by Linkit ONE, up to commit f06bd20 (2023-04-26), contains a reflected cross-site scripting vulnerability in the PM25.php file that allows remote attackers to execute arbitrary JavaScript by injecting malicious code into GET parameters. Attackers can craft a malicious URL containing unencoded payloads in the site, city, district, channel, or apikey parameters to execute scripts in victims' browsers when they visit the page.

