CVE-2026-5644
Received Received - Intake
Remote XSS in Cyber-III Student-Management-System Admin Notice Module

Publication date: 2026-04-06

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security flaw has been discovered in Cyber-III Student-Management-System up to 1a938fa61e9f735078e9b291d2e6215b4942af3f. Affected is an unknown function of the file /admin/Add%20notice/batch-notice.php. Performing a manipulation of the argument $_SERVER['PHP_SELF'] results in cross site scripting. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-06
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5644
EUVD
EUVD-2026-19217
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cyber-iii student-management-system to 1a938fa61e9f735078e9b291d2e6215b4942af3f (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-5644 is a reflected Cross-Site Scripting (XSS) vulnerability found in the Cyber-III Student-Management-System, specifically in the file /admin/Add notice/batch-notice.php. The vulnerability occurs because the PHP script uses the unsanitized $_SERVER['PHP_SELF'] variable directly as the form's action attribute. This allows an attacker to craft a malicious URL that injects arbitrary JavaScript code, which is then executed by the victim's browser.

An attacker can exploit this by logging into the admin panel and accessing a specially crafted URL that includes malicious script code. This injected code can execute in the context of the admin's browser session.

The recommended fix is to avoid outputting user-controllable input directly in the form action attribute. Instead, use a hardcoded relative URL or properly sanitize the output using functions like htmlspecialchars to encode special characters and prevent script execution.

Impact Analysis

This vulnerability can allow attackers to execute arbitrary JavaScript code in the context of an authenticated admin user's browser session.

  • Steal admin session cookies, potentially allowing the attacker to hijack the admin session.
  • Perform phishing attacks by injecting malicious scripts that mimic legitimate admin interface elements.
  • Execute other malicious payloads that could compromise the integrity and security of the Student Management System.
Detection Guidance

This vulnerability can be detected by attempting to reproduce the reflected Cross-Site Scripting (XSS) attack on the affected URL. Specifically, an attacker or tester can log into the admin panel with valid credentials and access a specially crafted URL that injects JavaScript code via the PHP_SELF variable.

  • Log in to the admin panel using credentials such as username: admin and password: admin123.
  • Access a URL similar to: http://127.0.0.1:3000/admin/Add%20notice/batch-notice.php/%22%3E%3Cscript%3Ealert('XSS_POC')%3C/script%3E

If the alert box with 'XSS_POC' appears, the vulnerability is present. This confirms that the PHP_SELF variable is unsafely used and allows script injection.

Mitigation Strategies

To mitigate this vulnerability immediately, avoid directly outputting the user-controllable $_SERVER['PHP_SELF'] variable in the form action attribute.

  • Replace the vulnerable PHP code `<?php echo $_SERVER['PHP_SELF']; ?>` with a hardcoded relative URL such as an empty string `""` or the specific filename like `"batch-notice.php"`.
  • If dynamic values are necessary, properly sanitize the output using PHP's htmlspecialchars function: `<?php echo htmlspecialchars($_SERVER['PHP_SELF'], ENT_QUOTES, 'UTF-8'); ?>`.

These changes prevent execution of injected scripts by encoding special characters, thereby mitigating the reflected XSS vulnerability.

Compliance Impact

The vulnerability is a reflected Cross-Site Scripting (XSS) flaw in the Cyber-III Student-Management-System that allows execution of arbitrary JavaScript code in the context of the admin panel.

Such XSS vulnerabilities can lead to session hijacking, theft of sensitive information, or phishing attacks, which may result in unauthorized access to personal or sensitive data.

This unauthorized access or exposure of sensitive data could potentially violate data protection regulations such as GDPR or HIPAA, which require safeguarding personal and health information against unauthorized access and ensuring data integrity and confidentiality.

Therefore, the presence of this vulnerability may negatively impact compliance with these standards by increasing the risk of data breaches or unauthorized data manipulation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5644. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart