A stored cross‑site scripting flaw exists in the Add Pages functionality of the Online Examination System. This vulnerability allows an attacker to supply malicious script content that is persisted and later rendered to arbitrary users. When a victim visits a page containing the stored payload, the script executes in their browser, potentially exposing session cookies, hijacking accounts, or defacing content. The CWE identifiers indicate an input validation problem (CWE‑79) and possible code injection (CWE‑94). The reported CVSS score of 5.1 reflects a moderate risk when the vulnerability is active. The attack can be carried out remotely by exploiting the Add Pages interface, and the public disclosure indicates that at least one example exploit is known.

The affected product is the Online Examination System developed by code‑projects, version 1.0. This is the only version documented by the CNA, and the vendor’s product cpe string identifies this single release.

The EPSS score is below 1%, suggesting a low probability of exploitation at the time of this analysis. The vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog. Attack entry requires remote submission of a malicious payload via the Add Pages component; the payload is then stored and executed for all users who view the affected page. Because the flaw is stored, any authenticated or unauthenticated user visiting the modified page would be vulnerable, raising security impact, yet the low EPSS score indicates that active exploitation may be rare. The CVSS score reflects the potential for loss of confidentiality, integrity, and availability if an attacker successfully injects code.