CVE-2026-3403
Received Received - Intake
Cross-Site Scripting in PHPGurukul edit-subject.php Allows Remote Attack

Publication date: 2026-03-02

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was detected in PHPGurukul Student Record Management System 1.0. This issue affects some unknown processing of the file /edit-subject.php. Performing a manipulation of the argument Subject 1 results in cross site scripting. The attack is possible to be carried out remotely. The exploit is now public and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-02
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-02
EPSS Evaluated
2026-06-14
NVD
CVE-2026-3403
EUVD
EUVD-2026-9136
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
phpgurukul student_record_system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

I don't know

Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-3403 is a Stored Cross-Site Scripting (XSS) vulnerability found in the PHPGurukul Student Record Management System version 1.0, specifically in the /edit-subject.php endpoint within the "Subject 1" field.'}, {'type': 'paragraph', 'content': 'The vulnerability occurs because the system fails to properly validate and encode user input before storing it in the database and rendering it in the browser. An authenticated administrator can inject malicious JavaScript code into this field, which is persistently stored and executed whenever the subject record is viewed or edited.'}, {'type': 'paragraph', 'content': 'This allows arbitrary JavaScript execution within the administrator’s browser context, potentially leading to session hijacking, unauthorized administrative actions, and persistent compromise affecting all users accessing the modified subject record.'}] [1, 2, 3]

Impact Analysis

The vulnerability can lead to arbitrary JavaScript execution in an authenticated administrator’s session, which may result in session hijacking through cookie theft.

It can also enable unauthorized administrative actions and persistent compromise of the system, affecting all users who access the modified subject record.

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to inject a known XSS payload into the vulnerable field and observing if it executes. Specifically, an authenticated administrator can test the /edit-subject.php endpoint by inserting the payload `"><script>alert(document.cookie)</script>` into the Subject 1 field.'}, {'type': 'paragraph', 'content': 'Detection steps include:'}, {'type': 'list_item', 'content': 'Log in to the admin panel.'}, {'type': 'list_item', 'content': 'Navigate to /edit-subject.php.'}, {'type': 'list_item', 'content': 'Insert the XSS payload into the Subject 1 field.'}, {'type': 'list_item', 'content': 'Save the subject.'}, {'type': 'list_item', 'content': 'Revisit the edit page and check if the injected JavaScript executes.'}, {'type': 'paragraph', 'content': 'Additionally, vulnerable targets can be identified using Google dorking with the query: `inurl:edit-subject.php` to find instances of the affected endpoint.'}] [1, 3]

Mitigation Strategies

Immediate mitigation steps include:

  • Implement strict server-side input validation and sanitization for the Subject 1 field.
  • Use context-aware output encoding functions such as PHP’s htmlspecialchars() to prevent script execution.
  • Deploy a strong Content Security Policy (CSP) to restrict the execution of unauthorized scripts.
  • Enable HTTPOnly and Secure flags on session cookies to reduce the risk of session hijacking.
  • Conduct secure code reviews to ensure consistent output encoding and input filtering.
  • Apply centralized input filtering and perform security testing prior to deployment.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3403. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart