Description
A vulnerability was determined in code-projects Coaching Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /cims/modules/student/complaint.php of the component Complaint Form Page. This manipulation of the argument Complaint causes cross site scripting. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized.
Published: 2026-04-28
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑site scripting that can be triggered remotely, enabling injection of arbitrary client‑side code
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in the /cims/modules/student/complaint.php page of the Coaching Management System. An attacker can craft a value for the complaint argument that is reflected into the page without proper filtering or encoding. The result is an uncontrolled client‑side script execution stored or reflected, allowing the attacker to run arbitrary JavaScript within the victim’s browser. This can lead to session hijacking, credential theft, or phishing infections but does not provide direct server‑side code execution or network takeover.

Affected Systems

code‑projects Coaching Management System version 1.0, specifically the Complaint Form module located at /cims/modules/student/complaint.php

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity. With no EPSS score available, the likelihood of exploitation is uncertain, and the flaw is not yet listed in the CISA KEV catalog. The vulnerability can be triggered from any remote client that can submit a complaint, implying a low barrier for attackers. Though it does not grant control of the server, the impact on confidentiality and integrity of user data via client‑side attack warrants mitigation.

Generated by OpenCVE AI on April 28, 2026 at 12:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a patched version of the Coaching Management System that validates and encodes the complaint input.
  • Modify the complaint input handling to escape all HTML and JavaScript characters before rendering it back to the browser.
  • Add a Content Security Policy header restricting script sources, and enforce HTTPOnly and Secure flags on session cookies.

Generated by OpenCVE AI on April 28, 2026 at 12:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Code-projects
Code-projects coaching Management System
Vendors & Products Code-projects
Code-projects coaching Management System

Tue, 28 Apr 2026 04:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in code-projects Coaching Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /cims/modules/student/complaint.php of the component Complaint Form Page. This manipulation of the argument Complaint causes cross site scripting. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized.
Title code-projects Coaching Management System Complaint Form complaint.php cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Code-projects Coaching Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-28T14:29:18.939Z

Reserved: 2026-04-27T15:36:48.698Z

Link: CVE-2026-7222

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-04-28T04:16:28.827

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-7222

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T12:30:31Z

Weaknesses