CVE-2026-5010
Reflected XSS in Clickedu /user.php Allows Data Theft
Publication date: 2026-03-27
Last updated on: 2026-05-19
Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sanoma | clickedu | to 5.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-5010 is a reflected Cross-Site Scripting (XSS) vulnerability found in Sanoma's Clickedu, a school management platform. This vulnerability occurs when an attacker sends a malicious URL targeting the endpoint "/user.php/", which causes arbitrary JavaScript code to be executed in the victim's browser.
Exploitation requires no special privileges and only needs the victim to click the crafted URL. The vulnerability is classified as CWE-79, which involves improper neutralization of input during web page generation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the Clickedu platform for reflected Cross-Site Scripting (XSS) on the endpoint "/user.php/". Specifically, you can attempt to inject JavaScript code into the URL and observe if it is executed in the browser.
A common approach is to craft a URL with a payload such as: /user.php/<script>alert(1)</script> and check if the script executes when accessed.
For network detection, monitoring HTTP requests to the "/user.php/" endpoint for suspicious or encoded JavaScript payloads can help identify exploitation attempts.
Example commands to test manually or via curl:
- curl -i "http://targetsite/user.php/%3Cscript%3Ealert(1)%3C/script%3E"
- curl -i "http://targetsite/user.php/<script>alert(document.cookie)</script>"
If the response contains the injected script without proper encoding or sanitization, the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Sanoma Clickedu to version 5.1 or later, where this vulnerability has been fixed.
Until the upgrade can be applied, consider implementing input validation and output encoding on the "/user.php/" endpoint to prevent execution of injected scripts.
Additionally, educate users to avoid clicking suspicious or untrusted URLs that target the vulnerable endpoint.
Monitoring and blocking suspicious requests containing script tags or encoded payloads targeting "/user.php/" can also reduce risk.
How can this vulnerability impact me? :
This vulnerability can be exploited to steal sensitive user data such as session cookies, which could allow attackers to hijack user sessions.
Additionally, attackers can perform unauthorized actions on behalf of the user by executing malicious scripts in their browser.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The reflected Cross-Site Scripting (XSS) vulnerability in Clickedu allows attackers to execute arbitrary JavaScript code in a victim's browser, potentially leading to the theft of sensitive user data such as session cookies or unauthorized actions performed on behalf of the user.
Such unauthorized access and data theft could impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.
However, the provided information does not explicitly discuss the direct impact of this vulnerability on compliance with these standards or any specific regulatory implications.