CVE-2026-4973 - Vulnerability Details

Description

A vulnerability was detected in SourceCodester Online Quiz System up to 1.0. Affected by this vulnerability is an unknown functionality of the file endpoint/add-question.php. Performing a manipulation of the argument quiz_question results in cross site scripting. It is possible to initiate the attack remotely. The exploit is now public and may be used.

Published: 2026-03-27

Score: 5.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the SourceCodester Online Quiz System up to version 1.0, specifically in the add‑question.php endpoint. Manipulating the quiz_question parameter allows an attacker to inject arbitrary script code, which the application renders without proper sanitization. This results in classic reflected cross‑site scripting, which can be triggered remotely through crafted URLs or form submissions. The impact is the potential theft of user credentials or session hijacking of any authenticated user who views the injected page.

Affected Systems

Affected systems are instances of SourceCodester’s Online Quiz System running version 1.0 or earlier. No specific sub‑components or plugins are enumerated; the flaw is tied to the add‑question.php functionality within the core application. Users who host or deploy this version are therefore vulnerable.

Risk and Exploitability

With a CVSS score of 5.1, the flaw is considered moderate in severity. No EPSS score is available, and the vulnerability is not listed in CISA’s KEV catalog. The exploit requires only remote access to the vulnerable endpoint and does not need elevated privileges, so an external attacker can easily execute the attack by sending a crafted request. If the application allows anonymous or low‑privilege users to access add‑question.php, the risk is amplified.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

SourceCodester

Online Quiz System

affected

Version	Status	Constraints
`1.0`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Check SourceCodester’s website or support forums for an updated version of the Online Quiz System that fixes the add‑question.php XSS flaw and apply it immediately.
If a patch is not yet available, restrict access to the add‑question.php page so that only authenticated users with appropriate privileges can submit data, and enable strict content security policies to limit script execution.
Sanitize the quiz_question input on the server side and ensure that any dynamic content is properly escaped before rendering to prevent script injection.
Monitor web application logs for repeated attempts to inject payloads into the quiz_question parameter and investigate any detected anomalies.

Generated by OpenCVE AI on March 28, 2026 at 06:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00031.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://gist.github.com/Mohdanass/5992b65cca5612c036f1d31d8d8f0646
https://vuldb.com/?ctiid.353860
https://vuldb.com/?id.353860
https://vuldb.com/?submit.778101
https://www.sourcecodester.com/

History

Sat, 28 Mar 2026 03:15:00 +0000

Type	Values Removed	Values Added
Description	A vulnerability was detected in SourceCodester Online Quiz System hasta 1.0. Affected by this vulnerability is an unknown functionality of the file endpoint/add-question.php. Performing a manipulation of the argument quiz_question results in cross site scripting. It is possible to initiate the attack remotely. The exploit is now public and may be used.	A vulnerability was detected in SourceCodester Online Quiz System up to 1.0. Affected by this vulnerability is an unknown functionality of the file endpoint/add-question.php. Performing a manipulation of the argument quiz_question results in cross site scripting. It is possible to initiate the attack remotely. The exploit is now public and may be used.

Fri, 27 Mar 2026 20:15:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was detected in SourceCodester Online Quiz System hasta 1.0. Affected by this vulnerability is an unknown functionality of the file endpoint/add-question.php. Performing a manipulation of the argument quiz_question results in cross site scripting. It is possible to initiate the attack remotely. The exploit is now public and may be used.
Title		SourceCodester Online Quiz System add-question.php cross site scripting
Weaknesses		CWE-79 CWE-94
References		https://gist.github.com/Mohdanass/5992b65cca5612c036f1d31d8d8f0646 https://vuldb.com/?ctiid.353860 https://vuldb.com/?id.353860 https://vuldb.com/?submit.778101 https://www.sourcecodester.com/
Metrics		cvssV2_0 `{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-03-27T19:52:46.822Z

Updated: 2026-03-27T22:17:49.312Z

Reserved: 2026-03-27T08:55:48.525Z

Link: CVE-2026-4973

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-03-27T20:16:38.247

Modified: 2026-03-27T23:17:18.537

Link: CVE-2026-4973

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-29T20:30:19Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object