CVE-2026-4578
Cross-Site Scripting in Exam Form Submission /admin/update_s3.php
Publication date: 2026-03-23
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| code-projects | exam_form_submission | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'The CVE-2026-4578 vulnerability is a Cross-Site Scripting (XSS) flaw found in the "Exam Form Submission" project version 1.0, specifically in the file /admin/update_s3.php.'}, {'type': 'paragraph', 'content': 'The root cause is the improper handling of the sname parameter, where user input is directly output to the web page without proper encoding or filtering.'}, {'type': 'paragraph', 'content': "This allows attackers to inject malicious JavaScript code, which executes in the victim's browser."}, {'type': 'paragraph', 'content': 'A proof-of-concept payload is <script>prompt(/xss/);</script>, demonstrating the execution of arbitrary scripts via the vulnerable sname parameter.'}] [1]
How can this vulnerability impact me? :
This vulnerability can allow attackers to steal cookies, session tokens, and other sensitive information from users.
Attackers can perform unauthorized actions on behalf of the victim, deface web pages, redirect users to malicious sites, and potentially gain control over the victimβs browser.
Exploitation does not require any login or authorization, making it easier for attackers to launch attacks remotely.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'The CVE-2026-4578 vulnerability is a Cross-Site Scripting (XSS) flaw in the Exam Form Submission 1.0 project, specifically in the /admin/update_s3.php file where the sname parameter is improperly handled. Detection involves testing the sname parameter for XSS payloads.'}, {'type': 'paragraph', 'content': 'A common detection method is to send a test payload such as <script>prompt(/xss/);</script> to the sname parameter and observe if the script executes in the browser, indicating vulnerability.'}, {'type': 'paragraph', 'content': 'Example command using curl to test the vulnerability:'}, {'type': 'list_item', 'content': 'curl -G --data-urlencode "sname=<script>prompt(/xss/);</script>" https://targetsite.com/admin/update_s3.php'}, {'type': 'paragraph', 'content': 'If the response page executes the script or reflects the payload without encoding, the vulnerability is present.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate remediation steps for CVE-2026-4578 include:
- Implement proper output encoding for the sname parameter based on the context (HTML, JavaScript, CSS, URL) to ensure user input is treated as text and not executable code.
- Enforce strict input validation and filtering to accept only expected input formats and sanitize or reject potentially malicious content such as script tags or event handlers.
- Deploy a strict Content Security Policy (CSP) to restrict script sources and prevent execution of unauthorized inline or external scripts.
- Set HttpOnly and Secure flags on sensitive cookies to prevent JavaScript access and ensure cookies are transmitted only over HTTPS, mitigating cookie theft risks.
- Conduct regular security audits and code reviews to detect and fix XSS and other vulnerabilities promptly.