Description
A weakness has been identified in code-projects Online Student Management System 1.0. The impacted element is an unknown function of the file /admin/announcement/index.php?view=add of the component Announcement Management Module. This manipulation causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks.
Published: 2026-02-08
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Assess impact
AI Analysis

Impact

A cross‑site scripting vulnerability exists in the Announcement Management module of the code‑projects Online Student Management System 1.0. The flaw is located in an undisclosed function of the /admin/announcement/index.php?view=add page, where user input is rendered without proper escaping. Attackers can supply crafted data that results in arbitrary JavaScript executing in the browsers of users who view the vulnerable page. The weakness is identified as CWE‑79, with an associated code‑injection aspect labeled CWE‑94.

Affected Systems

The vulnerability affects the code‑projects Online Student Management System version 1.0, specifically the admin/announcement module used for adding announcements; no other versions or products are listed as impacted.

Risk and Exploitability

The CVSS base score of 4.8 indicates low‑to‑moderate severity. The EPSS score of less than 1 % suggests a very low likelihood of real‑world exploitation, and the flaw is not cataloged in the CISA KEV list. The attack is remote and can be performed by sending a crafted request or a malicious link to the vulnerable endpoint. A publicly available exploit means that any user who accesses the affected page while logged in or unauthenticated is at potential risk. The exact extent of damage—such as session hijacking, defacement, or redirection—is typical for XSS but is not explicitly detailed in the CVE report; these effects are inferred as common outcomes when script execution occurs.

Generated by OpenCVE AI on April 18, 2026 at 18:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor‑supplied patch or update that addresses the XSS flaw in the Announcement Management module.
  • Modify the /admin/announcement/index.php?view=add page to validate and HTML‑encode all output originating from user input before rendering.
  • Deploy a strict Content Security Policy that blocks inline scripts and restricts allowed script sources to trusted domains.
  • Conduct a comprehensive security review of similar components to identify and remediate additional XSS or injection weaknesses.

Generated by OpenCVE AI on April 18, 2026 at 18:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Feb 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Fabian
Fabian online Student Management System
CPEs cpe:2.3:a:fabian:online_student_management_system:1.0:*:*:*:*:*:*:*
Vendors & Products Fabian
Fabian online Student Management System

Mon, 09 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Code-projects
Code-projects online Student Management System
Vendors & Products Code-projects
Code-projects online Student Management System

Sun, 08 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in code-projects Online Student Management System 1.0. The impacted element is an unknown function of the file /admin/announcement/index.php?view=add of the component Announcement Management Module. This manipulation causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks.
Title code-projects Online Student Management System Announcement Management index.php cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Code-projects Online Student Management System
Fabian Online Student Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T09:42:51.098Z

Reserved: 2026-02-07T08:28:12.130Z

Link: CVE-2026-2156

cve-icon Vulnrichment

Updated: 2026-02-09T19:08:08.872Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-08T15:15:51.307

Modified: 2026-02-10T13:48:57.620

Link: CVE-2026-2156

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T18:30:07Z

Weaknesses