Description
A vulnerability was determined in Cyber-III Student-Management-System up to 1a938fa61e9f735078e9b291d2e6215b4942af3f. Impacted is an unknown function of the file /admin/class%20schedule/delete_batch.php of the component Class Schedule Deletion Endpoint. Executing a manipulation of the argument batch can lead to cross site scripting. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-04-06
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Patch Now
AI Analysis

Impact

A remote web vulnerability exists in the Student‑Management System’s delete_batch.php endpoint. By manipulating the batch argument sent to the file, an attacker can inject arbitrary JavaScript that is reflected back to the victim’s browser. This reflected cross‑site scripting would allow a malicious actor to execute code within the context of any user who views the affected page, potentially stealing session cookies, credentials, or injecting malicious content. The weakness is based on improper input handling and rendering, making the application vulnerable to client‑side attacks.

Affected Systems

The vulnerability applies to all releases of the Cyber‑III Student‑Management‑System up to commit 1a938fa61e9f735078e9b291d2e6215b4942af3f. The project does not enforce version numbers, so any deployment of the code base that has not been updated beyond this point is affected. The system component in question is the Class Schedule Deletion Endpoint located at /admin/class%20schedule/delete_batch.php.

Risk and Exploitability

The CVSS score for this issue is 5.3, indicating moderate severity. EPSS information is not available, and the vulnerability is not listed in CISA’s KEV catalog, so it does not receive additional alerting. The attack vector is remote; any user who can submit a crafted request to the endpoint can trigger the XSS. Because the flaw is publicly disclosed and a product without formal versioning has no patch release, the exploitation likelihood remains moderate, but the potential for credential theft is significant.

Generated by OpenCVE AI on April 6, 2026 at 21:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest patch from the vendor if one becomes available. If no official fix has been released, modify the server‑side code to escape or strip the batch parameter before rendering. Deploy a Web Application Firewall or a Content Security Policy that blocks inline scripts. Monitor access logs for suspicious requests to delete_batch.php and notify the project maintainers with detailed evidence.

Generated by OpenCVE AI on April 6, 2026 at 21:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Cyber-iii
Cyber-iii student-management-system
Vendors & Products Cyber-iii
Cyber-iii student-management-system

Mon, 06 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in Cyber-III Student-Management-System up to 1a938fa61e9f735078e9b291d2e6215b4942af3f. Impacted is an unknown function of the file /admin/class%20schedule/delete_batch.php of the component Class Schedule Deletion Endpoint. Executing a manipulation of the argument batch can lead to cross site scripting. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet.
Title Cyber-III Student-Management-System Class Schedule Deletion Endpoint delete_batch.php cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Cyber-iii Student-management-system
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-07T14:08:29.827Z

Reserved: 2026-04-06T08:14:13.608Z

Link: CVE-2026-5671

cve-icon Vulnrichment

Updated: 2026-04-07T14:08:25.666Z

cve-icon NVD

Status : Deferred

Published: 2026-04-06T18:16:45.933

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-5671

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T09:39:15Z

Weaknesses