Description
A security vulnerability has been detected in ZeroWdd studentmanager up to 2151560fc0a50ec00426785ec1e01a3763b380d9. This impacts the function addLeave of the file src/main/java/com/wdd/studentmanager/controller/LeaveController.java. The manipulation of the argument Reason for Leave leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The code repository of the project has not been active for many years.
Published: 2026-02-09
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross Site Scripting
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a cross‑site scripting flaw in the addLeave endpoint of ZeroWdd studentmanager. By supplying a specially crafted Reason for Leave value, an attacker can inject malicious JavaScript that will execute in the browser of any user who views the resulting page. This allows cookie theft, session hijacking, and potentially the execution of arbitrary actions on behalf of the victim. The weakness corresponds to CWE‑79 and may also involve code injection (CWE‑94) depending on the context of the injected payload.

Affected Systems

ZeroWdd studentmanager, any release up to commit 2151560fc0a50ec00426785ec1e01a3763b380d9, is affected. The project uses a rolling release model and is no longer actively maintained, so specific patched versions are not publicly listed. Operators should consider that all currently deployed copies of the application are potentially vulnerable.

Risk and Exploitability

The CVSS score of 4.8 classifies the flaw as medium severity, while the EPSS score of less than 1 % indicates a very low likelihood of exploitation in the wild at this time. The vulnerability is not listed in CISA’s KEV catalog. Because the application is reachable over the web, the attack can be launched remotely by any user who can submit a leave request. The absence of an official patch makes the risk higher until a fix is released.

Generated by OpenCVE AI on April 17, 2026 at 21:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest patch or upgrade to the most recent release of ZeroWdd studentmanager once available.
  • Validate and sanitize the Reason for Leave input, ensuring that all HTML and script tags are escaped or removed before rendering.
  • Deploy a Content‑Security‑Policy header and set session cookies with the HttpOnly flag to reduce the impact of injected scripts.

Generated by OpenCVE AI on April 17, 2026 at 21:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 21:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:zerowdd:studentmanager:1.0:*:*:*:*:*:*:*

Mon, 23 Feb 2026 10:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:zerowdd:studentmanager:*:*:*:*:*:*:*:*

Mon, 09 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Zerowdd
Zerowdd studentmanager
Vendors & Products Zerowdd
Zerowdd studentmanager

Mon, 09 Feb 2026 01:45:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in ZeroWdd studentmanager up to 2151560fc0a50ec00426785ec1e01a3763b380d9. This impacts the function addLeave of the file src/main/java/com/wdd/studentmanager/controller/LeaveController.java. The manipulation of the argument Reason for Leave leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The code repository of the project has not been active for many years.
Title ZeroWdd studentmanager LeaveController.java addLeave cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Zerowdd Studentmanager
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T09:53:11.632Z

Reserved: 2026-02-07T17:45:22.766Z

Link: CVE-2026-2201

cve-icon Vulnrichment

Updated: 2026-02-09T16:36:39.081Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-09T02:16:03.793

Modified: 2026-03-05T21:31:55.373

Link: CVE-2026-2201

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T21:45:28Z

Weaknesses