CVE-2026-5668
Received Received - Intake
Remote XSS in Cyber-III Student-Management-System Admin Notice Module

Publication date: 2026-04-06

Last updated on: 2026-04-29

Assigner: VulDB

Description
A flaw has been found in Cyber-III Student-Management-System up to 1a938fa61e9f735078e9b291d2e6215b4942af3f. This affects an unknown part of the file /admin/Add%20notice/add%20notice.php. This manipulation of the argument $_SERVER['PHP_SELF'] causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been published and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-06
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-06
EPSS Evaluated
2026-06-14
NVD
CVE-2026-5668
EUVD
EUVD-2026-19365
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cyber-iii student-management-system to 1a938fa61e9f735078e9b291d2e6215b4942af3f (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability is a reflected Cross-Site Scripting (XSS) issue that allows execution of arbitrary JavaScript in the context of the admin panel. This can lead to cookie theft, phishing, or session hijacking.

Such security weaknesses can impact compliance with standards like GDPR and HIPAA because they may lead to unauthorized access or exposure of sensitive personal or health information through session hijacking or phishing attacks.

Therefore, this vulnerability poses a risk to maintaining confidentiality and integrity of data, which are core requirements in these regulations.

Executive Summary

CVE-2026-5668 is a Reflected Cross-Site Scripting (XSS) vulnerability found in the Cyber-III Student-Management-System, specifically in the file /admin/Add notice/add notice.php.

The issue arises because the application uses the unsanitized $_SERVER['PHP_SELF'] variable directly in the action attribute of two HTML forms. This allows an attacker to craft a malicious URL that injects arbitrary JavaScript code, which then executes in the context of the admin panel.

An example attack involves logging into the admin panel and accessing a specially crafted URL that includes a script tag, causing the injected JavaScript to run and potentially display an alert or perform malicious actions.

Impact Analysis

This vulnerability allows an attacker to execute arbitrary JavaScript code within the admin panel's context.

  • Potential theft of cookies, which could lead to session hijacking.
  • Phishing attacks by injecting malicious content into the admin interface.
  • Unauthorized actions performed on behalf of the admin user due to script execution.
Detection Guidance

This vulnerability can be detected by attempting to reproduce the reflected XSS attack on the vulnerable URL parameter. Specifically, by accessing the admin panel and visiting a crafted URL that injects JavaScript code into the `$_SERVER['PHP_SELF']` parameter.

  • Log in to the admin panel with valid credentials (e.g., username: admin, password: admin123).
  • Use a browser or a tool like curl to request a URL similar to: http://127.0.0.1:3000/admin/Add%20notice/add%20notice.php/"> <script>alert('XSS')</script>

If the JavaScript alert box appears or the injected script executes, the vulnerability is present.

Mitigation Strategies

Immediate mitigation involves preventing the unsanitized output of the `$_SERVER['PHP_SELF']` variable in the vulnerable PHP file.

  • Replace the dynamic output `<?php echo $_SERVER['PHP_SELF']; ?>` in the `action` attribute of the forms with a hardcoded relative URL such as an empty string "" or "add notice.php".
  • If dynamic output is necessary, encode the output using PHP's htmlspecialchars function: `<?php echo htmlspecialchars($_SERVER['PHP_SELF'], ENT_QUOTES, 'UTF-8'); ?>` to escape special characters and prevent script injection.

These steps will prevent arbitrary JavaScript injection via the URL and mitigate the reflected XSS vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5668. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart