CVE-2026-4577
Cross-Site Scripting in Exam Form Submission /admin/update_s4.php
Publication date: 2026-03-23
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| code-projects | exam_form_submission | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'The CVE-2026-4577 vulnerability is a Cross-Site Scripting (XSS) issue found in the "Exam Form Submission" project version 1.0, specifically in the \'/admin/update_s4.php\' file.'}, {'type': 'paragraph', 'content': "The root cause is the improper handling of the 'sname' parameter, where user input is directly output to the web page without proper encoding or filtering."}, {'type': 'paragraph', 'content': "This allows attackers to inject malicious scripts, such as the payload `<script>prompt(/xss/);</script>`, which execute arbitrary code in the victim's browser."}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'The impact of this vulnerability includes the potential theft of cookies, session tokens, and other sensitive information.'}, {'type': 'paragraph', 'content': "Attackers can perform unauthorized actions on behalf of the victim, cause webpage defacement, redirect users to malicious sites, and possibly gain full control over the victim's browser."}, {'type': 'paragraph', 'content': 'Notably, exploitation does not require user login or authorization, increasing the risk of attack.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "The vulnerability can be detected by testing the 'sname' parameter in the /admin/update_s4.php file for improper input handling that leads to Cross-Site Scripting (XSS). One common method is to inject a script payload such as <script>prompt(/xss/);</script> into the 'sname' parameter and observe if it executes in the browser."}, {'type': 'paragraph', 'content': 'Commands or tools to detect this include using curl or wget to send crafted HTTP requests and analyzing the response for reflected scripts.'}, {'type': 'list_item', 'content': "curl -X GET 'http://targetsite/admin/update_s4.php?sname=<script>prompt(1)</script>' -i"}, {'type': 'list_item', 'content': "Use a web proxy tool like Burp Suite or OWASP ZAP to intercept and modify requests to inject XSS payloads into the 'sname' parameter and observe the response."}, {'type': 'list_item', 'content': 'Automated scanners that detect XSS vulnerabilities can be used to test the endpoint.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Properly encode user inputs based on context (HTML, JavaScript, CSS, URL) to prevent execution as code.
- Enforce strict input validation and filtering to accept only expected input formats and reject or escape malicious content such as script tags and event handlers.
- Implement a strict Content Security Policy (CSP) to limit script sources and block unauthorized inline or external scripts.
- Set HttpOnly and Secure flags on sensitive cookies to prevent JavaScript access and ensure transmission over HTTPS.
- Conduct regular security audits and code reviews to detect and fix XSS and other vulnerabilities promptly.