Description
A vulnerability was detected in imvks786 student_management_system up to 9599b560ad3c3b83e75d328b76bedcd489ef1f46. Affected by this issue is some unknown functionality of the file /add.php. The manipulation of the argument name/address/fname results in cross site scripting. It is possible to launch the attack remotely. The exploit is now public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-06-08
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability occurs in the /add.php functionality of the imvks786 student_management_system. By manipulating the arguments name, address, or fname, a malicious user can inject arbitrary script code that is rendered by a victim’s browser. An attacker could insert a JavaScript payload, leading to session hijacking, credential theft, defacement, or other client‑side attacks. The flaw is a classic reflected XSS flaw identified as CWE‑79, and secondarily a code injection weakness (CWE‑94) if execution of injected PHP code is possible.

Affected Systems

The affected product is imvks786: student_management_system. All releases up to commit 9599b560ad3c3b83e75d328b76bedcd489ef1f46 are vulnerable. Because the project uses a rolling release model, explicit version numbers are not provided, so any deployment that includes code prior to that commit is at risk.

Risk and Exploitability

The CVSS score of 5.1 indicates a medium severity; the EPSS score is not available, so the current exploitation probability cannot be quantified, but the vulnerability is publicly disclosed and can be triggered remotely via crafted requests. It is not included in the CISA KEV catalog, yet it remains an active local or remote attack vector. An attacker with access to the web interface could immediately exploit it, especially if the application does not employ proper input sanitization or output encoding. The potential impact on confidentiality and integrity is significant, while availability is not directly affected.

Generated by OpenCVE AI on June 8, 2026 at 18:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the student_management_system to the latest commit that addresses the XSS issue or apply a patch that sanitizes the name, address, and fname parameters before outputting them.
  • Implement server‑side input validation and proper output encoding (e.g., use htmlspecialchars in PHP) to neutralise any injected scripts.
  • Set a Content‑Security‑Policy header to restrict execution of inline scripts and disallow external script sources, reducing the risk of XSS payloads.

Generated by OpenCVE AI on June 8, 2026 at 18:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in imvks786 student_management_system up to 9599b560ad3c3b83e75d328b76bedcd489ef1f46. Affected by this issue is some unknown functionality of the file /add.php. The manipulation of the argument name/address/fname results in cross site scripting. It is possible to launch the attack remotely. The exploit is now public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet.
Title imvks786 student_management_system add.php cross site scripting
First Time appeared Imvks786
Imvks786 student Management System
Weaknesses CWE-79
CWE-94
CPEs cpe:2.3:a:imvks786:student_management_system:*:*:*:*:*:*:*:*
Vendors & Products Imvks786
Imvks786 student Management System
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Imvks786 Student Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-08T16:45:09.182Z

Reserved: 2026-06-07T19:53:29.687Z

Link: CVE-2026-11534

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-08T17:16:40.763

Modified: 2026-06-08T17:16:40.763

Link: CVE-2026-11534

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T18:30:16Z

Weaknesses