Description
A reflected Cross-Site Scripting (XSS) vulnerability in School Management System by mahmoudai1 allows unauthenticated remote attackers to execute arbitrary JavaScript in victim's browsers via the unsanitized type parameter in register.php.
Published: 2026-04-28
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A reflected Cross‑Site Scripting vulnerability exists in the School Management System by mahmoudai1. An unauthenticated attacker can supply an arbitrary value for the 'type' query parameter in register.php. The value is returned unescaped in the browser, allowing an attacker to inject and execute malicious JavaScript within the victim’s browser context. This client‑side execution can lead to session hijacking, credential theft, defacement, or phishing attempts against users who visit the vulnerable page.

Affected Systems

The vulnerability is present in the School Management System repository hosted by mahmoudai1 on GitHub. No specific version information has been provided, so the issue affects all available releases of the application as distributed in that repository.

Risk and Exploitability

Because the flaw is triggered by a GET parameter and does not require authentication, any external user can exploit it. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. The lack of an advisory or patch suggests that exploitation is straightforward, making the risk high. An attacker can inject scripts that run in the context of any user who accesses the malformed URL.

Generated by OpenCVE AI on April 29, 2026 at 01:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Validate and sanitize the 'type' query parameter before it is used or echoed in register.php.
  • Remove the echo of the unsanitized 'type' value from responses to prevent reflection.
  • Implement a Content Security Policy that limits the sources from which JavaScript can load, thereby mitigating the impact of any remaining reflected input.

Generated by OpenCVE AI on April 29, 2026 at 01:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Mahmoudai1
Mahmoudai1 school Management System
Vendors & Products Mahmoudai1
Mahmoudai1 school Management System

Wed, 29 Apr 2026 02:00:00 +0000

Type Values Removed Values Added
Title Unsanitized ‘type’ Parameter Leads to Reflected XSS in School Management System
Weaknesses CWE-79

Tue, 28 Apr 2026 22:15:00 +0000

Type Values Removed Values Added
Description A reflected Cross-Site Scripting (XSS) vulnerability in School Management System by mahmoudai1 allows unauthenticated remote attackers to execute arbitrary JavaScript in victim's browsers via the unsanitized type parameter in register.php.
References

Subscriptions

Mahmoudai1 School Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-28T19:49:13.220Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-37750

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-28T22:16:49.330

Modified: 2026-04-28T22:16:49.330

Link: CVE-2026-37750

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T10:11:04Z

Weaknesses