CVE-2026-2943
Received Received - Intake
Cross-Site Scripting in SapneshNaik Student Management System

Publication date: 2026-02-22

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was identified in SapneshNaik Student Management System up to f4b4f0928f0b5551a28ee81ae7e7fe47d9345318. This impacts an unknown function of the file index.php. Such manipulation of the argument Error leads to cross site scripting. The attack can be launched remotely. The exploit is publicly available and might be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-22
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-02-22
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2943
EUVD
EUVD-2026-7689
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sapneshnaik student_management_system to f4b4f0928f0b5551a28ee81ae7e7fe47d9345318 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-2943 is a reflected Cross-Site Scripting (XSS) vulnerability found in the SapneshNaik Student Management System, specifically in the index.php file. The issue arises because the application directly outputs the value of the user-controlled 'error' parameter into the HTML page without any input validation, sanitization, or encoding. This allows an attacker to inject malicious scripts that execute in the context of a user's browser when they visit the affected page."}, {'type': 'paragraph', 'content': 'The vulnerability can be exploited remotely and does not require authentication. A proof-of-concept exploit is publicly available, making it easier for attackers to leverage this flaw.'}] [2, 3]

Impact Analysis

This vulnerability can impact you by allowing attackers to execute malicious scripts in the browsers of users who visit the vulnerable pages. Such scripts can steal session cookies, hijack user accounts, perform actions on behalf of users, or redirect users to malicious sites.

Because the attack can be launched remotely and requires only user interaction, it poses a risk to the integrity and security of the system and its users.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'The vulnerability can be detected by checking for the presence of the vulnerable parameter "error" in the index.php or admin.php files of the SapneshNaik Student Management System. Since the vulnerability is a reflected cross-site scripting (XSS) issue, one way to detect it is by sending crafted HTTP requests with XSS payloads in the "error" parameter and observing if the payload is reflected unescaped in the response.'}, {'type': 'paragraph', 'content': 'Additionally, vulnerable targets can be identified using Google dorking with the query: inurl:index.php'}, {'type': 'paragraph', 'content': 'Example command using curl to test the vulnerability by injecting a simple XSS payload:'}, {'type': 'list_item', 'content': 'curl -i "http://targetsite.com/index.php?error=<script>alert(\'XSS\')</script>"'}, {'type': 'paragraph', 'content': 'If the response contains the injected script tag without proper encoding or sanitization, the system is vulnerable.'}] [2, 3]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'There are no known official mitigations or countermeasures provided by the vendor, as the vendor did not respond to the disclosure.'}, {'type': 'paragraph', 'content': 'Immediate steps to mitigate this vulnerability include:'}, {'type': 'list_item', 'content': 'Avoid using the affected SapneshNaik Student Management System version or replace it with a secure alternative.'}, {'type': 'list_item', 'content': 'Implement input validation and output encoding on the "error" parameter to prevent injection of malicious scripts. For example, use PHP functions like htmlspecialchars() to sanitize user input before rendering.'}, {'type': 'list_item', 'content': 'Use web application firewalls (WAFs) to detect and block malicious payloads targeting the vulnerable parameter.'}, {'type': 'list_item', 'content': 'Monitor and restrict access to the affected pages if possible until a patch or fix is available.'}] [2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2943. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart