CVE-2026-11534
Received Received - Intake
Stored XSS in imvks786 Student Management System

Publication date: 2026-06-08

Last updated on: 2026-06-08

Assigner: VulDB

Description
A vulnerability was detected in imvks786 student_management_system up to 9599b560ad3c3b83e75d328b76bedcd489ef1f46. Affected by this issue is some unknown functionality of the file /add.php. The manipulation of the argument name/address/fname results in cross site scripting. It is possible to launch the attack remotely. The exploit is now public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-08
Last Modified
2026-06-08
Generated
2026-06-09
AI Q&A
2026-06-08
EPSS Evaluated
N/A
NVD
CVE-2026-11534
EUVD
EUVD-2026-35132
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
imvks786 student_management_system to 9599b560ad3c3b83e75d328b76bedcd489ef1f46 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-11534 is a Stored Cross-Site Scripting (XSS) vulnerability in the imvks786 student_management_system, specifically in the add.php file. The vulnerability arises because user inputs such as name, address, or father's name are directly concatenated into the database without proper sanitization or encoding.

An attacker can inject malicious JavaScript code into student records. When other users view these records on affected pages, the malicious script executes in their browsers.

This can lead to session theft, cookie hijacking, and privilege escalation, especially if an administrator views the infected record. The attack is persistent because the malicious payload is stored in the database.

Impact Analysis

This vulnerability can impact you by allowing attackers to execute malicious scripts in your browser when you view compromised student records.

  • Stealing your session tokens or cookies, which can lead to unauthorized access to your account.
  • Escalating privileges if you have administrative rights, potentially allowing attackers to control or manipulate the system.
  • Persistent attacks since the malicious code is stored in the database and can affect multiple users over time.
Detection Guidance

This vulnerability can be detected by testing the affected endpoints for stored cross-site scripting (XSS) by injecting typical XSS payloads into the parameters name, address, or fname in the /add.php script.

For example, you can use curl or similar HTTP clients to send requests with payloads like `<svg/onload=alert(1337)>` to the /add.php endpoint and then check if the payload is stored and executed when viewing records in pages such as see.php, seeall.php, phone/record.php, or std_home/std_profile.php.

A sample command to test injection might be:

  • curl -X POST -d "name=<svg/onload=alert(1337)>&address=test&fname=test" http://target-system/add.php

After injecting, visit the pages that display the stored data to see if the alert triggers, indicating the presence of the vulnerability.

Mitigation Strategies

Immediate mitigation steps include sanitizing and encoding user inputs and outputs to prevent malicious scripts from being stored and executed.

Specifically, applying output encoding functions such as htmlspecialchars() in PHP when displaying user-supplied data can prevent the execution of injected scripts.

Additionally, reviewing and restricting input fields to allow only expected characters and implementing Content Security Policy (CSP) headers can reduce the impact of XSS attacks.

Since the project has not yet responded with a patch, consider temporarily disabling or restricting access to the vulnerable /add.php functionality if possible.

Compliance Impact

The vulnerability is a Stored Cross-Site Scripting (XSS) issue that allows attackers to inject malicious scripts into the student management system's database. This can lead to session theft, cookie hijacking, and privilege escalation, potentially exposing sensitive user data.

Such unauthorized access and exposure of personal data can violate data protection regulations like GDPR and HIPAA, which require safeguarding personal information against unauthorized access and ensuring data integrity and confidentiality.

Because the vulnerability enables persistent attacks and data manipulation without proper sanitization or encoding, it undermines compliance with these standards that mandate secure handling of personal data and protection against cross-site scripting attacks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11534. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart