Description
A flaw has been found in itsourcecode University Management System 1.0. Affected is an unknown function of the file /add_result.php. Executing a manipulation of the argument vr can lead to cross site scripting. The attack may be launched remotely. The exploit has been published and may be used.
Published: 2026-03-18
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross-Site Scripting (client-side injection)
Action: Apply Patch
AI Analysis

Impact

An unsanitized input parameter 'vr' in the add_result.php script of itsourcecode University Management System 1.0 allows a remote attacker to inject arbitrary scripts into the page. The vulnerability can be exploited via a crafted HTTP request to the /add_result.php endpoint, leading to client-side code execution. This may enable session hijacking, data theft, or defacement of the user interface.

Affected Systems

The vulnerability is present only in itsourcecode University Management System 1.0, specifically in the add_result.php file, where the 'vr' argument is not properly validated or escaped.

Risk and Exploitability

The CVSS score is 4.8, indicating moderate severity. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. The exploit is remote and publicly available, so the risk is moderate to high for unsaved deployments.

Generated by OpenCVE AI on March 18, 2026 at 02:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the vendor’s website for a patched version of University Management System 1.0 and upgrade immediately.
  • If a patch is not available, sanitize or validate the 'vr' input parameter to remove or encode script tags before rendering.
  • Deploy a web application firewall or content-security-policy header to restrict script execution.
  • Monitor web traffic for suspicious injection attempts and audit error logs.

Generated by OpenCVE AI on March 18, 2026 at 02:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Itsourcecode
Itsourcecode university Management System
Vendors & Products Itsourcecode
Itsourcecode university Management System

Wed, 18 Mar 2026 01:30:00 +0000

Type Values Removed Values Added
Description A flaw has been found in itsourcecode University Management System 1.0. Affected is an unknown function of the file /add_result.php. Executing a manipulation of the argument vr can lead to cross site scripting. The attack may be launched remotely. The exploit has been published and may be used.
Title itsourcecode University Management System add_result.php cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Itsourcecode University Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-18T14:11:41.455Z

Reserved: 2026-03-17T18:34:03.378Z

Link: CVE-2026-4356

cve-icon Vulnrichment

Updated: 2026-03-18T14:11:37.296Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-18T02:16:25.223

Modified: 2026-03-18T14:52:44.227

Link: CVE-2026-4356

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:53:51Z

Weaknesses