Description
A vulnerability was identified in Cyber-III Student-Management-System up to 1a938fa61e9f735078e9b291d2e6215b4942af3f. This impacts an unknown function of the file /admin/Add%20notice/notice.php of the component Admin Add Endpoint. Such manipulation of the argument $_SERVER['PHP_SELF'] leads to cross site scripting. It is possible to launch the attack remotely. The exploit is publicly available and might be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-04-06
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

A cross‑site scripting flaw exists in the admin Add Notice endpoint of the Cyber‑III Student‑Management‑System. By manipulating the $_SERVER['PHP_SELF'] value used in /admin/Add%20notice/notice.php, an attacker can inject JavaScript that executes in the browsers of users who view the affected page. This flaw allows the theft of session data, defacement, or other malicious actions performed under the victim’s permissions. The weakness is an example of unchecked user‑controlled input leading to a stored or reflected XSS (CWE‑79).

Affected Systems

All released builds of the Cyber‑III Student‑Management‑System up to the code commit 1a938fa61e9f735078e9b291d2e6215b4942af3f are affected; no specific release numbers are available due to the project’s rolling release model.

Risk and Exploitability

The CVSS score of 4.8 indicates moderate severity, and the lack of EPSS data and KEV listing underlines limited publicly known exploitation efforts, yet the publicly available exploit and the ability to trigger the flaw remotely from any external host make the risk tangible for exposed installations.

Generated by OpenCVE AI on April 6, 2026 at 12:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Cyber‑III Student‑Management‑System to the latest release once a patch addressing the notice.php XSS flaw is released.
  • If a patch is not yet available, sanitize or encode the $_SERVER['PHP_SELF'] value before it is echoed or used in output to neutralize injected scripts.
  • Implement a content‑security policy that restricts the execution of inline scripts as an additional defense.
  • Monitor web server logs for suspicious requests containing manipulated PHP_SELF or injected JavaScript snippets.

Generated by OpenCVE AI on April 6, 2026 at 12:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Cyber-iii
Cyber-iii student-management-system
Vendors & Products Cyber-iii
Cyber-iii student-management-system

Mon, 06 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 06 Apr 2026 10:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in Cyber-III Student-Management-System up to 1a938fa61e9f735078e9b291d2e6215b4942af3f. This impacts an unknown function of the file /admin/Add%20notice/notice.php of the component Admin Add Endpoint. Such manipulation of the argument $_SERVER['PHP_SELF'] leads to cross site scripting. It is possible to launch the attack remotely. The exploit is publicly available and might be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet.
Title Cyber-III Student-Management-System Admin Add Endpoint notice.php cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Cyber-iii Student-management-system
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-06T11:46:02.549Z

Reserved: 2026-04-05T20:36:11.272Z

Link: CVE-2026-5643

cve-icon Vulnrichment

Updated: 2026-04-06T11:45:56.779Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-06T10:16:02.987

Modified: 2026-04-07T13:20:35.010

Link: CVE-2026-5643

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T21:32:58Z

Weaknesses