Description
A vulnerability has been found in code-projects Exam Form Submission 1.0. Impacted is an unknown function of the file /admin/update_s5.php. Such manipulation of the argument sname leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
Published: 2026-03-23
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in the /admin/update_s5.php script of Exam Form Submission 1.0, where an attacker can supply a malicious payload in the sname parameter that is rendered without proper escaping. Because the value is output to a browser, an injected script runs in the context of any user who views the affected page, allowing cookie theft, session hijacking, defacement or other client‑side attacks.

Affected Systems

All installations of Exam Form Submission 1.0 that expose the /admin/update_s5.php endpoint are affected. The flaw is specific to the code‑projects product and its admin update machinery.

Risk and Exploitability

The CVSS score of 4.8 indicates moderate severity. The flaw is remote‑usable from outside the application, and a public proof‑of‑concept has been released. The EPSS score is not available, but the existence of a public exploit suggests a non‑negligible chance that attackers will try to use it. The vulnerability is not yet in the CISA KEV catalog, yet the attacker could still target exposed instances without much difficulty.

Generated by OpenCVE AI on March 23, 2026 at 06:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor provided patch or upgrade to a newer, non‑vulnerable version of Exam Form Submission.
  • If an update is not immediately available, restrict access to /admin/update_s5.php by locking it behind authentication or network segmentation.
  • Implement input validation to sanitize the sname parameter, ensuring only expected characters are accepted.
  • Enable a content security policy to mitigate potential XSS impact.
  • Monitor outgoing traffic and logs for unusual script injection attempts.

Generated by OpenCVE AI on March 23, 2026 at 06:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 05:45:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in code-projects Exam Form Submission 1.0. Impacted is an unknown function of the file /admin/update_s5.php. Such manipulation of the argument sname leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
Title code-projects Exam Form Submission update_s5.php cross site scripting
First Time appeared Code-projects
Code-projects exam Form Submission
Weaknesses CWE-79
CWE-94
CPEs cpe:2.3:a:code-projects:exam_form_submission:*:*:*:*:*:*:*:*
Vendors & Products Code-projects
Code-projects exam Form Submission
References
Metrics cvssV2_0

{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Code-projects Exam Form Submission
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-23T16:02:40.204Z

Reserved: 2026-03-22T08:51:12.051Z

Link: CVE-2026-4576

cve-icon Vulnrichment

Updated: 2026-03-23T16:02:36.506Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-23T06:16:21.087

Modified: 2026-03-23T14:31:37.267

Link: CVE-2026-4576

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:49:39Z

Weaknesses