Description
A weakness has been identified in code-projects Exam Form Submission 1.0. This impacts an unknown function of the file /admin/update_s7.php. This manipulation of the argument sname causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks.
Published: 2026-03-27
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The flaw exists in the /admin/update_s7.php script of the Exam Form Submission application. An attacker can submit a crafted sname value that is not correctly sanitized before being reflected to the browser, resulting in the execution of arbitrary JavaScript or HTML code within the victim’s session. The description does not indicate additional damage beyond the manipulation of the sname parameter.

Affected Systems

The affected system is code‑projects Exam Form Submission version 1.0. The vulnerability resides in an unspecified function of the update_s7.php file located in the administrative interface of the application. No other product versions or vendor variants have been reported.

Risk and Exploitability

The CVSS score of 4.8 places this issue in the moderate category. The EPSS score of less than 1% indicates a low probability of exploitation at present, and the flaw is not listed in the CISA KEV catalog. Attack can be carried out remotely and publicly available exploit code means a threat actor can target any publicly accessible instance of the application without needing elevated privileges.

Generated by OpenCVE AI on March 28, 2026 at 07:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor‑issued security patch or upgrade Exam Form Submission to the latest version if available.
  • Sanitize or escape the sname input before echoing it back to the browser.
  • Restrict access to /admin/update_s7.php so that only authenticated administrators can use it.

Generated by OpenCVE AI on March 28, 2026 at 07:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in code-projects Exam Form Submission 1.0/7.php. This impacts an unknown function of the file /admin/update_s7.php. This manipulation of the argument sname causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. A weakness has been identified in code-projects Exam Form Submission 1.0. This impacts an unknown function of the file /admin/update_s7.php. This manipulation of the argument sname causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks.

Fri, 27 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 04:00:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in code-projects Exam Form Submission 1.0/7.php. This impacts an unknown function of the file /admin/update_s7.php. This manipulation of the argument sname causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks.
Title code-projects Exam Form Submission update_s7.php cross site scripting
First Time appeared Code-projects
Code-projects exam Form Submission
Weaknesses CWE-79
CWE-94
CPEs cpe:2.3:a:code-projects:exam_form_submission:*:*:*:*:*:*:*:*
Vendors & Products Code-projects
Code-projects exam Form Submission
References
Metrics cvssV2_0

{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Code-projects Exam Form Submission
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-27T22:20:59.248Z

Reserved: 2026-03-26T16:05:14.223Z

Link: CVE-2026-4909

cve-icon Vulnrichment

Updated: 2026-03-27T19:59:43.843Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-27T03:16:02.763

Modified: 2026-03-30T13:26:29.793

Link: CVE-2026-4909

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T07:02:25Z

Weaknesses