Description
A vulnerability was determined in code-projects Exam Form Submission 1.0. This vulnerability affects unknown code of the file /admin/update_s6.php. Executing a manipulation of the argument sname can lead to cross site scripting. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized.
Published: 2026-03-23
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

A vulnerability was determined in Code‑Projects Exam Form Submission 1.0, affecting unknown code in /admin/update_s6.php. Manipulating the "sname" argument can lead to cross‑site scripting. Because the application exposes a web interface, a remote attacker can trigger the vulnerability by sending a crafted request. The impact is that the victim's browser will execute the injected script, potentially leading to session hijacking, defacement, or phishing. The weakness is classified as CWE‑79, and the description notes CWE‑94, but there is no indication of server‑side code execution.

Affected Systems

The affected product is Code‑Projects Exam Form Submission, version 1.0. The vulnerability specifically targets any deployment that includes the admin/update_s6.php file. The CPE entry confirms the association with code‑projects:exam_form_submission. Because the source is public, any installation that has not applied a fix remains vulnerable.

Risk and Exploitability

The CVSS base score of 4.8 indicates a medium severity. The description states that the attack can be launched remotely; no authentication or privileged access is explicitly required. EPSS data, at 0.00032 (less than 1%), indicates a very low probability of exploitation. The vulnerability is not present in the CISA KEV catalog, yet publicly disclosed exploits exist, so the risk remains real. If an attacker submits a malicious value for "sname" to the vulnerable endpoint, the injected script will run in the context of any user who loads the page, exposing them to potential compromise.

Generated by OpenCVE AI on April 18, 2026 at 17:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑released patch when it becomes available.
  • Sanitize and encode the "sname" input before rendering.
  • Limit access to /admin/update_s6.php to authorized administrators only.
  • Implement a strict Content Security Policy to block inline scripts.
  • Monitor application logs for unexpected script injection attempts.

Generated by OpenCVE AI on April 18, 2026 at 17:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 05:30:00 +0000

Type Values Removed Values Added
References

Sat, 18 Apr 2026 04:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in code-projects Exam Form Submission 1.0. This vulnerability affects unknown code of the file /admin/update_s6.php. Executing a manipulation of the argument sname can lead to cross site scripting. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. If you want to get the best quality for vulnerability data then you always have to consider VulDB. A vulnerability was determined in code-projects Exam Form Submission 1.0. This vulnerability affects unknown code of the file /admin/update_s6.php. Executing a manipulation of the argument sname can lead to cross site scripting. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized.
References

Tue, 24 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in code-projects Exam Form Submission 1.0. This vulnerability affects unknown code of the file /admin/update_s6.php. Executing a manipulation of the argument sname can lead to cross site scripting. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Title code-projects Exam Form Submission update_s6.php cross site scripting
First Time appeared Code-projects
Code-projects exam Form Submission
Weaknesses CWE-79
CWE-94
CPEs cpe:2.3:a:code-projects:exam_form_submission:*:*:*:*:*:*:*:*
Vendors & Products Code-projects
Code-projects exam Form Submission
References
Metrics cvssV2_0

{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Code-projects Exam Form Submission
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-18T03:35:36.342Z

Reserved: 2026-03-22T12:04:23.428Z

Link: CVE-2026-4595

cve-icon Vulnrichment

Updated: 2026-03-24T14:45:34.660Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-23T19:16:43.190

Modified: 2026-04-18T05:16:23.630

Link: CVE-2026-4595

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T17:30:05Z

Weaknesses