Description
A vulnerability was detected in PHPEMS 11.0. The affected element is an unknown function of the file /index.php?ask=app-ask. Performing a manipulation of the argument askcontent results in cross site scripting. The attack is possible to be carried out remotely. The exploit is now public and may be used.
Published: 2026-03-11
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (client‑side code execution)
Action: Patch
AI Analysis

Impact

A cross‑site scripting flaw exists in the PHPEMS 11.0 application, triggered by manipulating the 'askcontent' parameter in the /index.php?ask=app-ask endpoint. The vulnerability allows an attacker to inject and execute arbitrary script code within the context of a victim’s browser, potentially leading to session hijacking, defacement, or credential theft. The weakness is a classic reflected XSS, classified under CWE‑79, and is exposed through a remote attack vector.

Affected Systems

The affected system is the PHPEMS e‑learning platform version 11.0. The flaw resides in the index.php script that processes the 'askcontent' input. Only installations running PHPEMS 11.0 or earlier are vulnerable; any newer release that removes or sanitises this input is presumed safe.

Risk and Exploitability

The CVSS base score of 5.1 reflects moderate severity. The EPSS score of less than 1 % indicates a low probability that the vulnerability has been widely exploited in the wild, and it is not listed in the CISA KEV catalog, so no known field‑invasive exploits have been reported. Nonetheless, the flaw is publicly documented and exploitable by anyone with network access to the web server, requiring no authentication or special privileges. An attacker can craft a URL containing malicious code in the askcontent value, cause the target user’s browser to execute it, and then proceed with secondary attacks if privileged information is captured.

Generated by OpenCVE AI on April 16, 2026 at 03:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update PHPEMS to a patched or newer version that removes the vulnerable code.
  • If an upgrade is not yet available, enforce strict input validation on the 'askcontent' parameter by escaping or stripping script tags before rendering.
  • Deploy a Content‑Security‑Policy header (or similar mitigations) on the web application to restrict script execution from untrusted sources.

Generated by OpenCVE AI on April 16, 2026 at 03:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in PHPEMS 11.0. The affected element is an unknown function of the file /index.php?ask=app-ask. Performing a manipulation of the argument askcontent results in cross site scripting. The attack is possible to be carried out remotely. The exploit is now public and may be used.
Title PHPEMS index.php cross site scripting
First Time appeared Phpems
Phpems phpems
Weaknesses CWE-79
CWE-94
CPEs cpe:2.3:a:phpems:phpems:*:*:*:*:*:*:*:*
Vendors & Products Phpems
Phpems phpems
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Phpems Phpems
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-11T15:49:51.282Z

Reserved: 2026-03-11T09:17:24.423Z

Link: CVE-2026-3946

cve-icon Vulnrichment

Updated: 2026-03-11T15:49:42.962Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-11T15:16:33.787

Modified: 2026-03-12T21:08:22.643

Link: CVE-2026-3946

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T03:15:22Z

Weaknesses