CVE-2026-2201
Cross-Site Scripting in ZeroWdd StudentManager LeaveController
Publication date: 2026-02-09
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zerowdd | studentmanager | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-2201 is a stored cross-site scripting (XSS) vulnerability in the ZeroWdd studentmanager application. It specifically affects the addLeave function in the LeaveController.java file. The vulnerability occurs because the "Reason for Leave" input is not properly sanitized before being included in web page output. This allows an attacker to inject malicious scripts remotely by manipulating this input.'}, {'type': 'paragraph', 'content': 'Exploitation requires the attacker to have some level of user authentication and user interaction, making it a targeted attack. The malicious script can be stored and later executed when viewed by other users, such as administrators.'}] [1, 3]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can impact you by allowing an attacker to inject malicious scripts into the application via the "Reason for Leave" field. When these scripts are executed in the context of another user\'s browser, such as an administrator\'s, it can lead to compromise of that user\'s account or session.'}, {'type': 'paragraph', 'content': 'Because the vulnerability is stored XSS, the malicious payload persists and can affect multiple users over time. This can lead to data integrity issues and unauthorized actions performed on behalf of legitimate users.'}, {'type': 'paragraph', 'content': 'The vulnerability has a low severity score but is easy to exploit remotely, especially since the product is no longer actively maintained and no patches are available.'}] [1, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the addLeave function of the ZeroWdd studentmanager application, specifically by attempting to inject malicious scripts into the "Reason for Leave" parameter and observing if the input is improperly sanitized and reflected in the web page output.'}, {'type': 'paragraph', 'content': 'Since the vulnerability is a stored cross-site scripting (XSS) issue, detection involves submitting crafted payloads as a low-privilege user and then verifying if these payloads execute when viewed by an administrator.'}, {'type': 'paragraph', 'content': 'No specific detection commands are provided in the available resources. However, common approaches include using web application security testing tools such as OWASP ZAP or Burp Suite to intercept and modify requests to the addLeave endpoint, injecting typical XSS payloads like <script>alert(1)</script> in the Reason for Leave field, and monitoring the response for script execution.'}] [1, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding the use of the affected ZeroWdd studentmanager application due to the lack of active maintenance and absence of published patches.
Since no known countermeasures or patches have been published, it is recommended to consider replacing the affected product with an alternative solution.
Additionally, restricting user privileges to prevent low-privilege users from submitting untrusted input that could be rendered by administrators may reduce risk.
Implementing web application firewalls (WAFs) that can detect and block XSS payloads targeting the Reason for Leave parameter may also help mitigate exploitation attempts.