CVE-2026-4575
Cross-Site Scripting in Exam Form Submission /admin/update_s2.php
Publication date: 2026-03-23
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| code-projects | exam_form_submission | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-4575 is a Cross-Site Scripting (XSS) vulnerability found in the Exam Form Submission Project version 1.0, specifically in the file /admin/update_s2.php.'}, {'type': 'paragraph', 'content': 'The vulnerability occurs because the application directly outputs user input from the sname parameter to the web page without proper encoding or filtering.'}, {'type': 'paragraph', 'content': "This lack of input validation and output encoding allows attackers to inject malicious JavaScript code that executes in the victim's browser."}, {'type': 'paragraph', 'content': 'The attack can be initiated remotely and does not require any login or authorization.'}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can have several significant impacts:'}, {'type': 'list_item', 'content': 'Attackers can steal cookies, session tokens, or other sensitive information.'}, {'type': 'list_item', 'content': 'Attackers can perform unauthorized actions on behalf of the victim.'}, {'type': 'list_item', 'content': 'Web pages can be defaced or altered maliciously.'}, {'type': 'list_item', 'content': 'Users can be redirected to malicious websites.'}, {'type': 'list_item', 'content': "Attackers may gain control over the victim's browser."}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the /admin/update_s2.php endpoint for Cross-Site Scripting (XSS) via the sname parameter. A common approach is to send a request with a payload such as <script>prompt(/xss/);</script> in the sname parameter and observe if the script executes in the response.'}, {'type': 'paragraph', 'content': 'You can use tools like curl or a web proxy to test this. For example, using curl:'}, {'type': 'list_item', 'content': 'curl -G --data-urlencode "sname=<script>prompt(/xss/);</script>" https://targetsite.com/admin/update_s2.php'}, {'type': 'paragraph', 'content': 'If the response contains the injected script without proper encoding or escaping, the vulnerability is present.'}, {'type': 'paragraph', 'content': 'Additionally, automated scanners for XSS vulnerabilities can be used to detect this issue.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Implement proper output encoding for the sname parameter when rendering it on web pages, using context-appropriate encoding to prevent script execution.
- Enforce strict input validation and filtering on the sname parameter to allow only expected input formats and reject or escape potentially malicious content such as script tags.
- Deploy a strict Content Security Policy (CSP) to restrict the sources of executable scripts and block unauthorized inline or external scripts.
- Set HttpOnly and Secure flags on cookies to prevent JavaScript access and ensure cookies are transmitted only over HTTPS, reducing the risk of cookie theft.
- Conduct regular security audits and code reviews to detect and fix XSS and other vulnerabilities promptly.