CVE-2026-4576
Cross-Site Scripting in Exam Form Submission /admin/update_s5.php
Publication date: 2026-03-23
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| code-projects | exam_form_submission | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-4576 is a Cross-Site Scripting (XSS) vulnerability found in the Exam Form Submission Project version 1.0, specifically in the file /admin/update_s5.php.'}, {'type': 'paragraph', 'content': "The vulnerability arises because the 'sname' parameter is not properly handled; user input is directly output to the web page without adequate encoding or filtering."}, {'type': 'paragraph', 'content': "This flaw allows attackers to inject malicious JavaScript code that executes in the victim's browser."}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'Exploitation of this vulnerability can have several impacts:'}, {'type': 'list_item', 'content': 'Attackers can steal sensitive information such as cookies and session tokens.'}, {'type': 'list_item', 'content': 'They can perform unauthorized actions on behalf of the victim.'}, {'type': 'list_item', 'content': 'Attackers may deface web pages or redirect users to malicious sites.'}, {'type': 'list_item', 'content': "There is potential for attackers to gain control over the victim's browser."}, {'type': 'paragraph', 'content': 'Notably, exploitation does not require user authentication or login, making it easier for attackers to launch remote attacks.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by testing the 'sname' parameter in the URL path '/admin/update_s5.php' for Cross-Site Scripting (XSS) issues. A common approach is to inject a proof-of-concept payload such as `<script>prompt(/xss/);</script>` into the 'sname' parameter and observe if the script executes in the browser."}, {'type': 'paragraph', 'content': 'For example, you can use curl or wget commands to send requests with the malicious payload and check the response for unencoded script tags.'}, {'type': 'list_item', 'content': 'curl "http://<target-ip>/EXAM_FORM_SUBMISSION/admin/update_s5.php?sname=<script>prompt(/xss/);</script>" -i'}, {'type': 'list_item', 'content': 'Observe the HTTP response for the presence of the injected script without proper encoding or filtering.'}, {'type': 'paragraph', 'content': 'Additionally, using web vulnerability scanners that test for reflected XSS vulnerabilities on the specified parameter can help automate detection.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include:'}, {'type': 'list_item', 'content': "Implement proper output encoding on the 'sname' parameter to ensure user input is safely rendered without executing as code."}, {'type': 'list_item', 'content': 'Enforce strict input validation and filtering to allow only expected formats and reject or escape potentially malicious content such as script tags.'}, {'type': 'list_item', 'content': 'Apply a strict Content Security Policy (CSP) to restrict allowable script sources and block unauthorized inline and external scripts.'}, {'type': 'list_item', 'content': 'Set HttpOnly and Secure flags on cookies to prevent JavaScript access and ensure cookies are transmitted only over HTTPS.'}, {'type': 'list_item', 'content': 'Conduct regular security audits and code reviews to detect and address XSS and other vulnerabilities promptly.'}] [1]