CVE-2026-7401
Cross-Site Scripting in CET Automated Grading System
Publication date: 2026-04-29
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sourcecodester | cet_automated_grading_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0, specifically in the Registration component's /index.php?action=register file. It involves the manipulation of input arguments such as student_id, full_name, section, and username, which leads to a cross-site scripting (XSS) vulnerability. This means an attacker can inject malicious scripts through these inputs.
The attack can be performed remotely, and the exploit code is publicly available.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability is a cross site scripting (XSS) issue in the registration component of the SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0. While the CVE description does not explicitly mention compliance impacts, XSS vulnerabilities can potentially lead to unauthorized access or manipulation of user data.
Such vulnerabilities may affect compliance with standards like GDPR or HIPAA if exploited to compromise personal or sensitive information, as these regulations require protection of user data and prevention of unauthorized access.
However, no direct information about compliance impact is provided in the available data.
How can this vulnerability impact me? :
This cross-site scripting vulnerability can allow attackers to execute malicious scripts in the context of the affected web application. This can lead to unauthorized actions such as stealing user session cookies, defacing the website, redirecting users to malicious sites, or performing actions on behalf of the user without their consent.
Since the exploit is publicly available and the attack can be launched remotely, it increases the risk of exploitation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to inject typical XSS payloads into the registration fields (student_id, full_name, section, username) of the CET Automated Grading System's registration page and observing if the payload is stored and executed when the admin accesses the dashboard.
A proof of concept payload such as `"><svg onload=alert(1)>` can be submitted via the registration form to test for stored XSS.
To detect this on your system, you can use tools like curl or wget to send crafted POST requests to the registration endpoint and then check the admin dashboard for execution of the payload.
- Example curl command to test injection: curl -X POST -d "student_id=123"><svg onload=alert(1)>" -d "full_name=test" -d "section=sec" -d "username=user" http://target/PersonalAGS/index.php?action=register
- Monitor the admin dashboard for unexpected script execution or alerts triggered by the injected payload.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include sanitizing and validating all user inputs on the registration form to prevent injection of malicious scripts.
Implement proper output encoding on the admin dashboard to ensure that any stored data is rendered safely without executing scripts.
Restrict access to the admin dashboard to trusted users and consider adding additional authentication or multi-factor authentication to reduce risk.
If possible, apply any available patches or updates from the vendor addressing this vulnerability.
As a temporary measure, monitor logs for suspicious registration attempts and consider disabling the registration feature if not immediately needed.
Can you explain this vulnerability to me?
CVE-2026-7401 is a Stored Cross-Site Scripting (XSS) vulnerability in the CET Automated Grading System version 1.0, specifically in the student self-registration portal.
An unauthenticated attacker can inject malicious JavaScript code into registration fields such as student_id, full_name, section, and username.
These malicious scripts are stored in the system's database and execute when an administrator views the student dashboard.
This allows the attacker to perform actions like stealing the admin's session cookie and potentially taking over the admin account.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized access and control over the administrative dashboard.
- An attacker can hijack admin sessions by stealing session cookies.
- The attacker can take over the admin account, gaining full control of the system.
- The attacker can deface the admin dashboard or redirect pages to malicious sites.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to inject typical cross-site scripting payloads into the registration fields (student_id, full_name, section, username) of the CET Automated Grading System's registration page.
For example, you can use curl or similar HTTP request tools to send payloads like `"><svg onload=alert(1)>` to the registration endpoint and observe if the payload is stored and later executed in the admin dashboard.
- curl -X POST "http://target/PersonalAGS/index.php?action=register" -d "student_id=123"><svg onload=alert(1)>" -d "full_name=Test" -d "section=1" -d "username=testuser"
Monitoring the admin dashboard for unexpected script execution or alerts after such injections can confirm the presence of the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include sanitizing and validating all user inputs on the registration page to prevent injection of malicious scripts.
Implement proper output encoding on the admin dashboard where the stored data is displayed to ensure that any injected scripts are not executed.
Restrict access to the admin dashboard to trusted users and consider adding authentication and authorization controls if not already present.
If possible, apply any available patches or updates from the vendor to fix the vulnerability.
As a temporary measure, monitor logs and network traffic for suspicious activity related to the registration and admin dashboard.