CVE-2026-5671
Received Received - Intake
Cross-Site Scripting in Cyber-III Class Schedule Deletion Endpoint

Publication date: 2026-04-06

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was determined in Cyber-III Student-Management-System up to 1a938fa61e9f735078e9b291d2e6215b4942af3f. Impacted is an unknown function of the file /admin/class%20schedule/delete_batch.php of the component Class Schedule Deletion Endpoint. Executing a manipulation of the argument batch can lead to cross site scripting. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-06
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-06
EPSS Evaluated
2026-06-14
NVD
CVE-2026-5671
EUVD
EUVD-2026-19400
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cyber-iii student-management-system to 1a938fa61e9f735078e9b291d2e6215b4942af3f (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in CVE-2026-5671 affects the /admin/class schedule/delete_batch.php endpoint of the Cyber-III Student-Management-System. It involves two main security issues: unauthorized access and reflected cross-site scripting (XSS).

First, the endpoint lacks proper administrator permission checks, allowing any user, including unauthenticated ones, to access and execute batch deletion operations that should be restricted to administrators.

Second, the 'batch' parameter from POST requests is directly embedded into the HTML response without sanitization or escaping. This allows attackers to inject malicious JavaScript code that is reflected back and executed in the victim's browser.

An attacker can send a specially crafted POST request with a script payload in the 'batch' parameter, causing the injected script to execute in the victim's browser, confirming both unauthorized access and reflected XSS.

Impact Analysis

This vulnerability can impact you by allowing unauthorized users to perform administrative batch deletion operations without proper permissions, potentially leading to data loss or disruption of service.

Additionally, the reflected cross-site scripting (XSS) vulnerability can be exploited to execute malicious scripts in the browsers of users who access the affected endpoint. This can lead to session hijacking, theft of sensitive information, or other malicious actions performed on behalf of the victim.

Detection Guidance

This vulnerability can be detected by sending a crafted POST request to the endpoint /admin/class%20schedule/delete_batch.php with a script payload in the batch parameter and observing if the script is reflected in the response.

  • Use a command like: curl -X POST -d "batch=<script>alert('XSS_POC')</script>" http://<target-host>/admin/class%20schedule/delete_batch.php -H "Content-Type: application/x-www-form-urlencoded"
  • If the response HTML contains the injected script (e.g., Batch '<script>alert('XSS_POC')</script>' schedules deleted successfully), it confirms the presence of the reflected XSS vulnerability.
  • Also check if the endpoint is accessible without authentication, indicating unauthorized access vulnerability.
Mitigation Strategies

Immediate mitigation steps include implementing strict authentication and authorization checks to ensure only administrators can access and perform batch deletions.

  • Verify session data or valid tokens before processing requests to the /admin/class schedule/delete_batch.php endpoint.
  • Sanitize all user-supplied input, especially the batch parameter, before including it in HTML output by applying functions like htmlspecialchars() to prevent script injection and reflected XSS.
Compliance Impact

The vulnerability in CVE-2026-5671 allows unauthorized access to an administrative endpoint and enables reflected cross-site scripting (XSS) attacks. This can lead to unauthorized manipulation of data and execution of malicious scripts in users' browsers.

Such security weaknesses can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal data and secure access controls. Unauthorized access and XSS vulnerabilities increase the risk of data breaches and unauthorized data exposure, potentially violating these regulations.

Therefore, failure to implement proper authentication, authorization, and input sanitization as recommended can result in non-compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5671. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart