Description
A security flaw has been discovered in Cyber-III Student-Management-System up to 1a938fa61e9f735078e9b291d2e6215b4942af3f. Affected is an unknown function of the file /admin/Add%20notice/batch-notice.php. Performing a manipulation of the argument $_SERVER['PHP_SELF'] results in cross site scripting. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-04-06
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Assess Impact
AI Analysis

Impact

The vulnerability allows an attacker to inject arbitrary JavaScript code by manipulating the server variable $_SERVER['PHP_SELF'] in the file /admin/Add notice/batch-notice.php, which is then executed in the browsers of users who submit the batch notice. "The attack can be initiated remotely."

Affected Systems

The Cyber‑III Student‑Management‑System is affected in any release that contains or precedes commit 1a938fa61e9f735078e9b291d2e6215b4942af3f. No official patch or updated release has been issued, and the project has not responded to the issue. The product uses continuous delivery with rolling releases, so version numbers are not clearly identified beyond this commit reference. "Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet."

Risk and Exploitability

The CVSS score is 4.8, indicating a low‑moderate severity level. EPSS data is not available, and the vulnerability is not listed in CISA’s KEV catalog. Exploit code is publicly available, and the flaw can be triggered from a remote location. Because the flaw involves user‑controlled input, the attack surface remains open unless the vendor provides a fix or the deployment implements mitigating controls.

Generated by OpenCVE AI on April 6, 2026 at 12:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Contact Cyber‑III support to obtain a patch or an updated release
  • Disable or remove the /admin/Add notice/batch-notice.php function if it is not required for your installation
  • Restrict access to the page so that only authenticated administrators can use it
  • Validate and encode user input such as $_SERVER['PHP_SELF'] using functions like htmlspecialchars to neutralize injected code
  • Deploy a web application firewall rule to block script injection via the vulnerable parameter

Generated by OpenCVE AI on April 6, 2026 at 12:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 07:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Cyber-iii
Cyber-iii student-management-system
Vendors & Products Cyber-iii
Cyber-iii student-management-system

Mon, 06 Apr 2026 10:30:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in Cyber-III Student-Management-System up to 1a938fa61e9f735078e9b291d2e6215b4942af3f. Affected is an unknown function of the file /admin/Add%20notice/batch-notice.php. Performing a manipulation of the argument $_SERVER['PHP_SELF'] results in cross site scripting. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.
Title Cyber-III Student-Management-System batch-notice.php cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Cyber-iii Student-management-system
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-07T03:05:43.892Z

Reserved: 2026-04-05T20:36:14.383Z

Link: CVE-2026-5644

cve-icon Vulnrichment

Updated: 2026-04-07T03:05:40.459Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-06T10:16:03.190

Modified: 2026-04-07T13:20:35.010

Link: CVE-2026-5644

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T21:32:57Z

Weaknesses