CVE-2026-10228
Cross-Site Scripting in Student Management System by PHP
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| raisulislamg4 | student_management_system_by_php | to 310d950e09013d5133c6b9210aff9444382d16d1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Stored Cross-Site Scripting (XSS) issue found in the student management system by raisulislamg4. It occurs in the admission_form_check.php file where user input from the message field is not properly sanitized before being stored in the database. When administrators later view the admissions list, the malicious script embedded in the message is executed in their browsers.
An attacker can exploit this by submitting a specially crafted admission form containing malicious JavaScript code in the message field. This code runs every time the admissions page is accessed by an administrator, potentially allowing actions like session theft or unauthorized administrative operations.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to execute malicious scripts in the context of an administrator's browser. This can lead to session hijacking, where attackers steal session cookies to impersonate administrators.
It can also enable unauthorized actions on behalf of the administrator, such as modifying or deleting data, potentially compromising the integrity and security of the student management system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the admission form input field named 'Message' for stored cross-site scripting (XSS). Specifically, submitting a script payload in the Message field and then checking if the script executes when viewing the admissions list in the admissions.php page indicates the presence of the vulnerability.
A practical detection method is to submit an admission form with a simple JavaScript payload such as <script>alert('XSS')</script> in the Message field. Then, access the admissions list page as an administrator to see if the alert box appears.
There are no specific network commands provided, but manual testing through the web interface is recommended. Additionally, scanning tools that detect stored XSS vulnerabilities by injecting payloads into input fields and monitoring output can be used.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include sanitizing and encoding user input in the Message field before storing it in the database and before rendering it in the admissions list page.
Specifically, implement proper output encoding (e.g., HTML entity encoding) when displaying the Message content in admissions.php to prevent execution of injected scripts.
Until a patch or update is available, restrict access to the admissions list page to trusted administrators only and consider temporarily disabling the message display or input field to prevent exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability is a Stored Cross-Site Scripting (XSS) issue that allows attackers to execute malicious scripts in the administrator's browser, potentially leading to session theft, account takeover, or unauthorized administrative actions.
Such unauthorized access and data manipulation risks can impact compliance with standards like GDPR and HIPAA, which require protection of personal data and secure access controls to prevent data breaches and unauthorized data processing.
Because the vulnerability allows persistent malicious code execution within an administrative interface, it could lead to exposure or misuse of sensitive personal information managed by the student management system, thereby violating data protection requirements.