Description
A vulnerability was detected in yashpokharna2555 StudentManagementSystem cb2f558ddf8d19396de0f92abf2d224d46a0a203. This impacts an unknown function of the file /student.php. Performing a manipulation of the argument FIRST_NAME results in cross site scripting. The attack can be initiated remotely. The exploit is now public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-05-25
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw in student.php allows an attacker to insert arbitrary JavaScript through manipulation of the FIRST_NAME parameter, which the application renders without escaping. This cross‑site scripting capability lets the attacker run code in the victim’s browser, potentially stealing cookies, hijacking sessions, or defacing web pages. The vulnerability is a classic input‑validation weakness identified by CWE‑79 and, according to the source, may also involve code injection mechanisms (CWE‑94). The impact is confined to the client side; it does not grant the attacker server‑side code execution or data exfiltration beyond what the injected script can access.

Affected Systems

The impacted product is yashpokharna2555's StudentManagementSystem. No specific version details are provided because the project uses continuous delivery and rolling releases, so the CVE notes that no affected or updated release versions are known. The references point to the project's GitHub repository and public vulnerability reports, indicating that any release of the system is potentially vulnerable.

Risk and Exploitability

The CVSS score is 5.1, placing the vulnerability at medium severity. The EPSS score is unavailable, but the attack is described as publicly usable and can be launched remotely by sending a crafted HTTP request with a malicious FIRST_NAME field. The product is not listed in the CISA KEV catalog. Because the flaw stems from inadequate input sanitization, the risk remains open until the maintainer issues a patch or until mitigations are applied at the application level. The attack vector is remote, and the Q&A describes it as a client‑side XSS scenario rather than a server‑side code execution vulnerability.

Generated by OpenCVE AI on May 25, 2026 at 17:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Sanitize all data submitted for the FIRST_NAME field by escaping or filtering user input before rendering it to eliminate untrusted HTML.
  • Deploy a Content‑Security‑Policy header that disallows inline scripts and restricts script sources to trusted origins.
  • Set the HttpOnly and Secure flags on session cookies to reduce the impact of potential cookie theft via XSS.
  • Monitor application logs for attempts to inject script or code and block typical XSS payloads at the web‑application firewall or reverse proxy.
  • Apply any patched version of StudentManagementSystem as soon as the maintainer releases one, or consider switching to a well‑maintained alternative if no fix becomes available.

Generated by OpenCVE AI on May 25, 2026 at 17:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 25 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in yashpokharna2555 StudentManagementSystem cb2f558ddf8d19396de0f92abf2d224d46a0a203. This impacts an unknown function of the file /student.php. Performing a manipulation of the argument FIRST_NAME results in cross site scripting. The attack can be initiated remotely. The exploit is now public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.
Title yashpokharna2555 StudentManagementSystem student.php cross site scripting
First Time appeared Yashpokharna2555
Yashpokharna2555 studentmanagementsystem
Weaknesses CWE-79
CWE-94
CPEs cpe:2.3:a:yashpokharna2555:studentmanagementsystem:*:*:*:*:*:*:*:*
Vendors & Products Yashpokharna2555
Yashpokharna2555 studentmanagementsystem
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Yashpokharna2555 Studentmanagementsystem
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-25T15:45:09.619Z

Reserved: 2026-05-24T09:06:07.036Z

Link: CVE-2026-9471

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T17:30:06Z

Weaknesses