CVE-2026-9518
Deferred Deferred - Pending Action
Cross-Site Scripting in CodeIgniter-StudentManagementSystem

Publication date: 2026-05-26

Last updated on: 2026-05-26

Assigner: VulDB

Description
A vulnerability was identified in hemant6488 CodeIgniter-StudentManagementSystem. The impacted element is the function addStudent of the file view_students.php of the component Students Controller. The manipulation of the argument Name leads to cross site scripting. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-26
Last Modified
2026-05-26
Generated
2026-06-15
AI Q&A
2026-05-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-9518
EUVD
EUVD-2026-31776
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
hemant6488 codeigniter-studentmanagementsystem *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows remote attackers to inject malicious scripts via the student name parameter, leading to stored cross-site scripting (XSS). This can result in session hijacking and account takeover, including administrator accounts.

Such unauthorized access and potential data manipulation or exposure could lead to violations of data protection regulations like GDPR or HIPAA, which require safeguarding personal data and preventing unauthorized access.

Because the vulnerability enables attackers to compromise user sessions and potentially access sensitive student information, it undermines the confidentiality and integrity requirements mandated by these standards.

Executive Summary

CVE-2026-9518 is a Stored Cross-Site Scripting (XSS) vulnerability in the CodeIgniter Student Management System, specifically in the addStudent function of the Students Controller within the view_students.php file.

The vulnerability occurs because the system does not sanitize or filter the user-supplied input for the student name before storing it in the database. Later, when the student names are displayed on the student listing page, the malicious JavaScript code injected via the name parameter is executed in the browsers of users viewing that page.

This flaw can be exploited remotely without authentication due to broken access control, allowing an attacker to inject malicious scripts by sending crafted requests.

Impact Analysis

The impact of this vulnerability includes the potential for session hijacking and account takeover if an administrator's session is compromised.

An attacker can also deface the website or redirect users to malicious sites by injecting harmful scripts.

Since the vulnerability can be exploited remotely without credentials, it poses a significant risk of drive-by attacks affecting any user who visits the compromised student listing page.

Detection Guidance

This vulnerability can be detected by checking for the presence of unsanitized input in the student name field that leads to stored cross-site scripting (XSS) in the CodeIgniter Student Management System. Specifically, you can test the addStudent function by sending crafted POST requests with JavaScript payloads in the Name parameter and observing if the script executes when viewing the student listing page.

A practical detection method is to use curl or similar HTTP clients to send a POST request with a payload that includes a script tag in the Name field, for example:

  • curl -X POST -d "Name=<script>alert('XSS')</script>" http://target-url/path/to/addStudent

Then, access the student listing page (view_students.php) in a browser or via a tool like curl or wget to see if the injected script is rendered and executed.

Additionally, monitoring HTTP traffic for suspicious POST requests containing script tags or unusual payloads targeting the addStudent endpoint can help detect exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include sanitizing and validating all user inputs, especially the Name parameter in the addStudent function, to prevent injection of malicious scripts.

Implement proper output encoding (such as HTML entity encoding) when rendering user-supplied data in the view_students.php page to prevent execution of injected scripts.

Restrict access to the addStudent endpoint by enforcing authentication and authorization controls to prevent anonymous attackers from exploiting the vulnerability.

As a temporary measure, monitor and block suspicious POST requests containing script tags or other potentially malicious payloads targeting the vulnerable endpoint.

Consider applying web application firewall (WAF) rules to detect and block XSS attack patterns.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9518. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart