A cross-site scripting vulnerability exists in the code-projects Exam Form Submission application. The flaw is located in the admin endpoint /admin/update_s7.php and is triggered when an attacker crafts a malicious value for the sname query parameter. The input is not properly validated or sanitized, allowing an attacker to inject arbitrary client-side scripts that run in the context of the victim’s browser. Such a script can steal session cookies, deface pages, or execute further malicious actions on behalf of the user.

The vulnerability affects the code-projects Exam Form Submission product, specifically the file update_s7.php in the /admin directory of the application. No additional versions or products are listed as impacted; the description refers to the application as an overall product without a precise version list.

The CVSS base score of 4.8 indicates a moderate severity, reflecting the potential compromise of confidentiality, integrity, and availability of session data. The attack can be carried out remotely by sending a crafted HTTP request that includes a malicious sname value; the vulnerability is publicly available through the referenced discovery reports. The flaw is not listed in the CISA KEV catalog, and no EPSS score is provided. Because the vulnerability requires the victim to load the affected page, successful exploitation depends on user interaction, but the remote nature and lack of input restrictions increase the likelihood that an attacker could deliver the payload. Administrators should treat this as a high-priority patching issue.