Description
A reflected Cross-Site Scripting (XSS) vulnerability in School Management System by mahmoudai1 allows unauthenticated remote attackers to execute arbitrary JavaScript in victim's browsers via the unsanitized type parameter in register.php.
Published: 2026-04-28
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A reflected Cross‑Site Scripting vulnerability exists in the School Management System by mahmoudai1. An unauthenticated attacker can supply an arbitrary value for the 'type' query parameter in register.php. The value is returned unescaped in the browser, allowing an attacker to inject and execute malicious JavaScript within the victim’s browser context. This client‑side execution can lead to session hijacking, credential theft, defacement, or phishing attempts against users who visit the vulnerable page.

Affected Systems

The vulnerability is present in the School Management System repository hosted by mahmoudai1 on GitHub. No specific version information has been provided, so the issue affects all available releases of the application as distributed in that repository.

Risk and Exploitability

Because the flaw is triggered by a GET parameter and does not require authentication, any external user can exploit it. The EPSS score is <1%, the CVSS score is 6.1, and the vulnerability is not listed in the CISA KEV catalog. The lack of an advisory or patch suggests that exploitation is straightforward, making the risk high. An attacker can inject scripts that run in the context of any user who accesses the malformed URL.

Generated by OpenCVE AI on April 30, 2026 at 04:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Validate and sanitize the 'type' query parameter before it is used or echoed in register.php.
  • Remove the echo of the unsanitized 'type' value from responses to prevent reflection.
  • Implement a Content Security Policy that limits the sources from which JavaScript can load, thereby mitigating the impact of any remaining reflected input.

Generated by OpenCVE AI on April 30, 2026 at 04:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 30 Apr 2026 04:30:00 +0000

Type Values Removed Values Added
Title Unsanitized ‘type’ Parameter Leads to Reflected XSS in School Management System

Wed, 29 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 29 Apr 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Mahmoudai1
Mahmoudai1 school Management System
Vendors & Products Mahmoudai1
Mahmoudai1 school Management System

Wed, 29 Apr 2026 02:00:00 +0000

Type Values Removed Values Added
Title Unsanitized ‘type’ Parameter Leads to Reflected XSS in School Management System
Weaknesses CWE-79

Tue, 28 Apr 2026 22:15:00 +0000

Type Values Removed Values Added
Description A reflected Cross-Site Scripting (XSS) vulnerability in School Management System by mahmoudai1 allows unauthenticated remote attackers to execute arbitrary JavaScript in victim's browsers via the unsanitized type parameter in register.php.
References

Subscriptions

Mahmoudai1 School Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-29T15:12:46.540Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-37750

cve-icon Vulnrichment

Updated: 2026-04-29T13:06:47.487Z

cve-icon NVD

Status : Deferred

Published: 2026-04-28T22:16:49.330

Modified: 2026-04-29T21:23:06.397

Link: CVE-2026-37750

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T04:15:26Z

Weaknesses