Description
A vulnerability was determined in code-projects Exam Form Submission 1.0. The impacted element is an unknown function of the file /admin/update_s3.php. Executing a manipulation of the argument sname can lead to cross site scripting. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized.
Published: 2026-03-23
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

A flaw has been found in an undefined function of the /admin/update_s3.php script of Exam Form Submission. By manipulating the sname argument, the application echoes the supplied value back to the browser without proper encoding, resulting in a reflected XSS issue. This flaw allows an attacker to insert malicious script code that will run in the victim’s browser when the crafted URL is visited. While the CVE description does not explicitly list potential downstream effects, it is inferred from typical XSS behavior that such scripts could steal session cookies or display unwanted content.

Affected Systems

Only code‑projects Exam Form Submission version 1.0 is known to contain this vulnerability; no other releases have been identified as impacted.

Risk and Exploitability

The CVSS base score of 4.8 indicates moderate risk, mainly affecting confidentiality and integrity. EPSS information is unavailable, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is remote, as an attacker only needs to send an HTTP request containing a malicious value for sname. The exploit has been publicly disclosed, so attackers could feasibly craft a malicious request, but no active exploits are reported.

Generated by OpenCVE AI on March 23, 2026 at 08:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply vendor patch or upgrade to a fixed version when it becomes available
  • Validate and sanitize user input for the sname parameter before rendering
  • Enforce a Content Security Policy that restricts inline scripts and limits script sources
  • Monitor web server logs for suspicious requests containing script code

Generated by OpenCVE AI on March 23, 2026 at 08:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 07:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in code-projects Exam Form Submission 1.0. The impacted element is an unknown function of the file /admin/update_s3.php. Executing a manipulation of the argument sname can lead to cross site scripting. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized.
Title code-projects Exam Form Submission update_s3.php cross site scripting
First Time appeared Code-projects
Code-projects exam Form Submission
Weaknesses CWE-79
CWE-94
CPEs cpe:2.3:a:code-projects:exam_form_submission:*:*:*:*:*:*:*:*
Vendors & Products Code-projects
Code-projects exam Form Submission
References
Metrics cvssV2_0

{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Code-projects Exam Form Submission
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-25T14:01:02.245Z

Reserved: 2026-03-22T08:51:18.505Z

Link: CVE-2026-4578

cve-icon Vulnrichment

Updated: 2026-03-25T14:00:35.650Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-23T08:16:18.030

Modified: 2026-03-23T14:31:37.267

Link: CVE-2026-4578

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:49:32Z

Weaknesses