CVE-2026-10301
Deferred Deferred - Pending Action
Cross-Site Scripting in Fees Management System

Publication date: 2026-06-02

Last updated on: 2026-06-02

Assigner: VulDB

Description
A vulnerability was detected in itsourcecode Fees Management System 1.0. The affected element is an unknown function of the file index.php. Performing a manipulation of the argument page results in cross site scripting. The attack may be initiated remotely. The exploit is now public and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-02
Last Modified
2026-06-02
Generated
2026-06-22
AI Q&A
2026-06-02
EPSS Evaluated
2026-06-21
NVD
CVE-2026-10301
EUVD
EUVD-2026-33849
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
itsourcecode fees_management_system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-10301 is a reflected Cross-Site Scripting (XSS) vulnerability found in the Fees Management System version 1.0, specifically in the index.php file. The vulnerability arises because the 'page' URL parameter is directly reflected in the webpage output without proper sanitization, allowing attackers to inject malicious JavaScript code.

This flaw can be exploited remotely without requiring authentication by tricking users into visiting a specially crafted URL that contains malicious scripts.

To exploit this, an attacker might use a URL like: http://[target]/index.php?page=%27)</script><script>alert(0)</script>(%27 to execute arbitrary JavaScript in the victim's browser.

Mitigation involves validating and encoding input parameters and implementing security headers such as Content-Security-Policy and X-XSS-Protection.

Impact Analysis

This reflected XSS vulnerability can have several impacts on users and the system.

  • Session hijacking, where attackers steal user session cookies to impersonate users.
  • Unauthorized actions performed on behalf of the user without their consent.
  • Theft of sensitive data accessible through the user's browser.
  • Distribution of malware by injecting malicious scripts.
Detection Guidance

This vulnerability can be detected by testing the 'page' parameter in the index.php file for reflected Cross-Site Scripting (XSS). An effective method is to send a crafted URL that includes a JavaScript payload and observe if it executes in the browser.

  • Use a web browser or tools like curl or wget to request a URL such as: http://[target]/index.php?page=%27)</script><script>alert(0)</script>(%27
  • If the JavaScript alert box appears, it confirms the presence of the XSS vulnerability.
  • Alternatively, use web vulnerability scanners that test for reflected XSS by injecting scripts into URL parameters.
Mitigation Strategies

Immediate mitigation steps include implementing proper input validation and output encoding on the 'page' parameter to prevent malicious scripts from executing.

  • Sanitize user input using functions like htmlspecialchars() or htmlentities() in PHP to encode special characters.
  • Implement security headers such as Content-Security-Policy (CSP) and X-XSS-Protection to reduce the risk of XSS attacks.
  • Avoid reflecting user input directly in the page output without proper sanitization.
Compliance Impact

The vulnerability is a reflected Cross-Site Scripting (XSS) flaw that can lead to session hijacking, unauthorized actions, data theft, and malware distribution. Such impacts can compromise the confidentiality and integrity of user data.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, the potential for data theft and unauthorized access caused by this vulnerability could lead to violations of these regulations, which require protection of personal and sensitive data.

Remediation steps such as input validation, output encoding, and security headers are necessary to mitigate these risks and help maintain compliance with data protection standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10301. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart