Description
A vulnerability was found in tittuvarghese CollegeManagementSystem 3e476335cfbfb9a049e09f474c7ec885f69a9df3/a38852979f7e27ae67b610dce5979500ef8ebe01. Affected by this vulnerability is an unknown functionality of the file /dashboard_page/forms/fetch.php. The manipulation of the argument department_name results in cross site scripting. The attack may be launched remotely. The exploit has been made public and could be used. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-06-05
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The identified flaw is a reflected cross‑site scripting vulnerability in the fetch.php component of the CollegeManagementSystem. An attacker can supply a crafted department_name parameter that is echoed back without proper escaping, allowing malicious JavaScript to execute in the victim’s browser. This may lead to session hijacking, phishing attacks, or unauthorized disclosure of data.

Affected Systems

The vulnerability exists in the current rolling‑release version of the CollegeManagementSystem maintained by tittuvarghese. The affected code resides in /dashboard_page/forms/fetch.php, and because the project delivers continuous updates, no specific version numbers are provided. Any deployment that includes this component is potentially affected.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity. No EPSS data are available, so the likelihood of exploitation is uncertain, but the public exploit demonstrates that remote attackers can trigger the flaw by providing a malicious department_name value. Although the issue is not listed in the CISA KEV catalog, its public disclosure and remote nature raise concern for exposed installations that accept untrusted input.

Generated by OpenCVE AI on June 5, 2026 at 17:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the repository for a patch and deploy the updated code as soon as it becomes available.
  • Validate all user‑supplied department_name values and perform output encoding before rendering them in the HTML response.
  • Add a Content‑Security‑Policy header that blocks inline scripts and restricts script sources.
  • Implement an input whitelist that allows only safe characters and a reasonable length for department_name.

Generated by OpenCVE AI on June 5, 2026 at 17:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in tittuvarghese CollegeManagementSystem 3e476335cfbfb9a049e09f474c7ec885f69a9df3/a38852979f7e27ae67b610dce5979500ef8ebe01. Affected by this vulnerability is an unknown functionality of the file /dashboard_page/forms/fetch.php. The manipulation of the argument department_name results in cross site scripting. The attack may be launched remotely. The exploit has been made public and could be used. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The project was informed of the problem early through an issue report but has not responded yet.
Title tittuvarghese CollegeManagementSystem fetch.php cross site scripting
First Time appeared Tittuvarghese
Tittuvarghese collegemanagementsystem
Weaknesses CWE-79
CWE-94
CPEs cpe:2.3:a:tittuvarghese:collegemanagementsystem:*:*:*:*:*:*:*:*
Vendors & Products Tittuvarghese
Tittuvarghese collegemanagementsystem
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Tittuvarghese Collegemanagementsystem
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-08T17:17:52.868Z

Reserved: 2026-06-05T08:10:10.570Z

Link: CVE-2026-11337

cve-icon Vulnrichment

Updated: 2026-06-08T17:13:00.482Z

cve-icon NVD

Status : Deferred

Published: 2026-06-05T17:16:42.260

Modified: 2026-06-05T19:02:13.790

Link: CVE-2026-11337

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T18:00:15Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  • CWE-94

    Improper Control of Generation of Code ('Code Injection')