CVE-2026-3403
Cross-Site Scripting in PHPGurukul edit-subject.php Allows Remote Attack
Publication date: 2026-03-02
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| phpgurukul | student_record_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-3403 is a Stored Cross-Site Scripting (XSS) vulnerability found in the PHPGurukul Student Record Management System version 1.0, specifically in the /edit-subject.php endpoint within the "Subject 1" field.'}, {'type': 'paragraph', 'content': 'The vulnerability occurs because the system fails to properly validate and encode user input before storing it in the database and rendering it in the browser. An authenticated administrator can inject malicious JavaScript code into this field, which is persistently stored and executed whenever the subject record is viewed or edited.'}, {'type': 'paragraph', 'content': 'This allows arbitrary JavaScript execution within the administratorβs browser context, potentially leading to session hijacking, unauthorized administrative actions, and persistent compromise affecting all users accessing the modified subject record.'}] [1, 2, 3]
How can this vulnerability impact me? :
The vulnerability can lead to arbitrary JavaScript execution in an authenticated administratorβs session, which may result in session hijacking through cookie theft.
It can also enable unauthorized administrative actions and persistent compromise of the system, affecting all users who access the modified subject record.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to inject a known XSS payload into the vulnerable field and observing if it executes. Specifically, an authenticated administrator can test the /edit-subject.php endpoint by inserting the payload `"><script>alert(document.cookie)</script>` into the Subject 1 field.'}, {'type': 'paragraph', 'content': 'Detection steps include:'}, {'type': 'list_item', 'content': 'Log in to the admin panel.'}, {'type': 'list_item', 'content': 'Navigate to /edit-subject.php.'}, {'type': 'list_item', 'content': 'Insert the XSS payload into the Subject 1 field.'}, {'type': 'list_item', 'content': 'Save the subject.'}, {'type': 'list_item', 'content': 'Revisit the edit page and check if the injected JavaScript executes.'}, {'type': 'paragraph', 'content': 'Additionally, vulnerable targets can be identified using Google dorking with the query: `inurl:edit-subject.php` to find instances of the affected endpoint.'}] [1, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Implement strict server-side input validation and sanitization for the Subject 1 field.
- Use context-aware output encoding functions such as PHPβs htmlspecialchars() to prevent script execution.
- Deploy a strong Content Security Policy (CSP) to restrict the execution of unauthorized scripts.
- Enable HTTPOnly and Secure flags on session cookies to reduce the risk of session hijacking.
- Conduct secure code reviews to ensure consistent output encoding and input filtering.
- Apply centralized input filtering and perform security testing prior to deployment.