CVE-2026-5643
Received Received - Intake
Remote XSS in Cyber-III Admin Add Endpoint Notice.php

Publication date: 2026-04-06

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was identified in Cyber-III Student-Management-System up to 1a938fa61e9f735078e9b291d2e6215b4942af3f. This impacts an unknown function of the file /admin/Add%20notice/notice.php of the component Admin Add Endpoint. Such manipulation of the argument $_SERVER['PHP_SELF'] leads to cross site scripting. It is possible to launch the attack remotely. The exploit is publicly available and might be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-06
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5643
EUVD
EUVD-2026-19215
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cyber-iii student-management-system to 1a938fa61e9f735078e9b291d2e6215b4942af3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-5643 is a reflected Cross-Site Scripting (XSS) vulnerability in the Cyber-III Student-Management-System, specifically in the file /admin/Add notice/notice.php. The vulnerability occurs because the script uses the unsanitized $_SERVER['PHP_SELF'] variable directly as the form's action attribute. This allows an attacker to craft a malicious URL that injects arbitrary JavaScript code, which is then executed by the victim's browser.

An attacker can exploit this by logging into the admin panel with preset credentials and accessing a specially crafted URL that causes the browser to execute the injected script. This can lead to actions such as displaying alert boxes or more harmful scripts that steal cookies, perform phishing, or hijack the admin session.

The recommended fix is to avoid directly outputting user-controllable input in the form action attribute. Instead, use a hardcoded relative URL or properly sanitize the output using PHP’s htmlspecialchars() function to prevent script injection.

Impact Analysis

This vulnerability can impact you by allowing attackers to execute arbitrary JavaScript code in the context of the admin panel. This can lead to theft of cookies, phishing attacks, or hijacking of the admin session, potentially giving attackers unauthorized access or control over the system.

Detection Guidance

This vulnerability can be detected by attempting to access the vulnerable endpoint with a specially crafted URL that injects JavaScript code via the PHP_SELF variable. For example, accessing a URL like the following can reveal if the system is vulnerable by triggering a script execution alert in the browser:

  • http://127.0.0.1:3000/admin/Add%20notice/notice.php/%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E

If the alert box with the text "XSS" appears, it confirms the presence of the reflected cross-site scripting vulnerability.

No specific network commands are provided, but manual testing via browser or automated scanning tools targeting reflected XSS on the /admin/Add notice/notice.php endpoint with manipulation of the PHP_SELF parameter can be used.

Mitigation Strategies

Immediate mitigation involves modifying the vulnerable code to avoid directly outputting the unsanitized $_SERVER['PHP_SELF'] variable in the form's action attribute.

  • Replace the dynamic PHP_SELF usage with a hardcoded relative URL such as an empty string "" or "notice.php" to post to the same page safely.
  • If dynamic values are necessary, properly sanitize the output using PHP's htmlspecialchars() function with appropriate flags, for example: <?php echo htmlspecialchars($_SERVER['PHP_SELF'], ENT_QUOTES, 'UTF-8'); ?>

These steps prevent script injection by encoding special characters, thereby mitigating the cross-site scripting vulnerability.

Compliance Impact

The vulnerability is a reflected Cross-Site Scripting (XSS) issue in the Cyber-III Student-Management-System that allows execution of arbitrary JavaScript in the admin panel.

Such XSS vulnerabilities can lead to session hijacking, phishing, or theft of sensitive information, which may result in unauthorized access to personal or protected data.

This unauthorized access or exposure of sensitive data could potentially violate compliance requirements under standards like GDPR or HIPAA, which mandate protection of personal and health information.

However, the provided information does not explicitly state the impact on compliance or whether any personal data is affected.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5643. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart