CVE-2026-10228
Deferred Deferred - Pending Action
Cross-Site Scripting in Student Management System by PHP

Publication date: 2026-06-01

Last updated on: 2026-06-01

Assigner: VulDB

Description
A vulnerability was found in raisulislamg4 student_management_system_by_php up to 310d950e09013d5133c6b9210aff9444382d16d1. The impacted element is an unknown function of the file admission_form_check.php. The manipulation of the argument Message results in cross site scripting. The attack can be executed remotely. The exploit has been made public and could be used. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-01
Generated
2026-06-21
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2026-10228
EUVD
EUVD-2026-33561
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
raisulislamg4 student_management_system_by_php to 310d950e09013d5133c6b9210aff9444382d16d1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Stored Cross-Site Scripting (XSS) issue found in the student management system by raisulislamg4. It occurs in the admission_form_check.php file where user input from the message field is not properly sanitized before being stored in the database. When administrators later view the admissions list, the malicious script embedded in the message is executed in their browsers.

An attacker can exploit this by submitting a specially crafted admission form containing malicious JavaScript code in the message field. This code runs every time the admissions page is accessed by an administrator, potentially allowing actions like session theft or unauthorized administrative operations.

Impact Analysis

This vulnerability can impact you by allowing attackers to execute malicious scripts in the context of an administrator's browser. This can lead to session hijacking, where attackers steal session cookies to impersonate administrators.

It can also enable unauthorized actions on behalf of the administrator, such as modifying or deleting data, potentially compromising the integrity and security of the student management system.

Detection Guidance

This vulnerability can be detected by testing the admission form input field named 'Message' for stored cross-site scripting (XSS). Specifically, submitting a script payload in the Message field and then checking if the script executes when viewing the admissions list in the admissions.php page indicates the presence of the vulnerability.

A practical detection method is to submit an admission form with a simple JavaScript payload such as <script>alert('XSS')</script> in the Message field. Then, access the admissions list page as an administrator to see if the alert box appears.

There are no specific network commands provided, but manual testing through the web interface is recommended. Additionally, scanning tools that detect stored XSS vulnerabilities by injecting payloads into input fields and monitoring output can be used.

Mitigation Strategies

Immediate mitigation steps include sanitizing and encoding user input in the Message field before storing it in the database and before rendering it in the admissions list page.

Specifically, implement proper output encoding (e.g., HTML entity encoding) when displaying the Message content in admissions.php to prevent execution of injected scripts.

Until a patch or update is available, restrict access to the admissions list page to trusted administrators only and consider temporarily disabling the message display or input field to prevent exploitation.

Compliance Impact

The vulnerability is a Stored Cross-Site Scripting (XSS) issue that allows attackers to execute malicious scripts in the administrator's browser, potentially leading to session theft, account takeover, or unauthorized administrative actions.

Such unauthorized access and data manipulation risks can impact compliance with standards like GDPR and HIPAA, which require protection of personal data and secure access controls to prevent data breaches and unauthorized data processing.

Because the vulnerability allows persistent malicious code execution within an administrative interface, it could lead to exposure or misuse of sensitive personal information managed by the student management system, thereby violating data protection requirements.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10228. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart