CVE-2026-2201
Awaiting Analysis Awaiting Analysis - Queue
Cross-Site Scripting in ZeroWdd StudentManager LeaveController

Publication date: 2026-02-09

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security vulnerability has been detected in ZeroWdd studentmanager up to 2151560fc0a50ec00426785ec1e01a3763b380d9. This impacts the function addLeave of the file src/main/java/com/wdd/studentmanager/controller/LeaveController.java. The manipulation of the argument Reason for Leave leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The code repository of the project has not been active for many years.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-09
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-02-09
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2201
EUVD
EUVD-2026-6898
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
zerowdd studentmanager 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-2201 is a stored cross-site scripting (XSS) vulnerability in the ZeroWdd studentmanager application. It specifically affects the addLeave function in the LeaveController.java file. The vulnerability occurs because the "Reason for Leave" input is not properly sanitized before being included in web page output. This allows an attacker to inject malicious scripts remotely by manipulating this input.'}, {'type': 'paragraph', 'content': 'Exploitation requires the attacker to have some level of user authentication and user interaction, making it a targeted attack. The malicious script can be stored and later executed when viewed by other users, such as administrators.'}] [1, 3]

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can impact you by allowing an attacker to inject malicious scripts into the application via the "Reason for Leave" field. When these scripts are executed in the context of another user\'s browser, such as an administrator\'s, it can lead to compromise of that user\'s account or session.'}, {'type': 'paragraph', 'content': 'Because the vulnerability is stored XSS, the malicious payload persists and can affect multiple users over time. This can lead to data integrity issues and unauthorized actions performed on behalf of legitimate users.'}, {'type': 'paragraph', 'content': 'The vulnerability has a low severity score but is easy to exploit remotely, especially since the product is no longer actively maintained and no patches are available.'}] [1, 3]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the addLeave function of the ZeroWdd studentmanager application, specifically by attempting to inject malicious scripts into the "Reason for Leave" parameter and observing if the input is improperly sanitized and reflected in the web page output.'}, {'type': 'paragraph', 'content': 'Since the vulnerability is a stored cross-site scripting (XSS) issue, detection involves submitting crafted payloads as a low-privilege user and then verifying if these payloads execute when viewed by an administrator.'}, {'type': 'paragraph', 'content': 'No specific detection commands are provided in the available resources. However, common approaches include using web application security testing tools such as OWASP ZAP or Burp Suite to intercept and modify requests to the addLeave endpoint, injecting typical XSS payloads like <script>alert(1)</script> in the Reason for Leave field, and monitoring the response for script execution.'}] [1, 3]

Mitigation Strategies

Immediate mitigation steps include avoiding the use of the affected ZeroWdd studentmanager application due to the lack of active maintenance and absence of published patches.

Since no known countermeasures or patches have been published, it is recommended to consider replacing the affected product with an alternative solution.

Additionally, restricting user privileges to prevent low-privilege users from submitting untrusted input that could be rendered by administrators may reduce risk.

Implementing web application firewalls (WAFs) that can detect and block XSS payloads targeting the Reason for Leave parameter may also help mitigate exploitation attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2201. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart