Description
In manikandan580 School-management-system 1.0, a reflected XSS vulnerability exists in /studentms/admin/contact-us.php via the pagedes POST parameter.
Published: 2026-04-14
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

An attacker can submit a malicious script via the pagedes POST parameter on the /studentms/admin/contact‑us.php page. The page echoes the supplied value back to the browser without proper filtering, allowing the payload to execute in the context of the victim’s session. This can lead to session hijacking, credential theft, defacement, or execution of arbitrary code within the victim’s browser. The issue is a classic reflected XSS weakness (CWE‑79).

Affected Systems

Version 1.0 of the School‑management‑system developed by the user manikandan580 is impacted. No other vendors or products are listed as affected.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.1, indicating moderate severity. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no publicly documented exploits yet. The likely attack path requires the attacker to send a crafted POST request to the contact‑us page, from which the malicious JavaScript is returned to the victim’s browser. The impact is limited to browsers that load the echoed value and does not automatically grant system compromise beyond the user’s session.

Generated by OpenCVE AI on April 14, 2026 at 20:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patched version of the School‑management‑system as described in the advisory at https://github.com/TREXNEGRO/Security‑Advisories/blob/main/CVE-2025-65136/README.md
  • If an update is unavailable, ensure that the pagedes POST parameter is sanitized and that any dynamic content is properly encoded before rendering to prevent script execution
  • Deploy a Web Application Firewall or input validation libraries to detect and block malicious payloads targeting the contact‑us page

Generated by OpenCVE AI on April 14, 2026 at 20:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Manikandan580
Manikandan580 school-management-system
Vendors & Products Manikandan580
Manikandan580 school-management-system

Wed, 15 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Title Reflected Cross‑Site Scripting in School Management System Contact Page

Tue, 14 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Description In manikandan580 School-management-system 1.0, a reflected XSS vulnerability exists in /studentms/admin/contact-us.php via the pagedes POST parameter.
References

Subscriptions

Manikandan580 School-management-system
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-14T18:04:46.651Z

Reserved: 2025-11-18T00:00:00.000Z

Link: CVE-2025-65136

cve-icon Vulnrichment

Updated: 2026-04-14T18:04:41.027Z

cve-icon NVD

Status : Deferred

Published: 2026-04-14T16:16:34.640

Modified: 2026-04-17T15:33:34.050

Link: CVE-2025-65136

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T21:03:12Z

Weaknesses