CVE-2026-16155
Received Received - Intake

Cross-Site Scripting in Class and Exam Timetabling System

Vulnerability report for CVE-2026-16155, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-18

Last updated on: 2026-07-18

Assigner: VulDB

Description

A vulnerability was identified in SourceCodester Class and Exam Timetabling System 1.0. Affected by this issue is some unknown functionality of the file /schoolyr.php. The manipulation of the argument sy leads to cross site scripting. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-18
Last Modified
2026-07-18
Generated
2026-07-19
AI Q&A
2026-07-19
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
sourcecodester class_and_exam_timetabling_system 1.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a cross-site scripting (XSS) issue in SourceCodester Class and Exam Timetabling System 1.0. The flaw exists in the /schoolyr.php file where the 'sy' argument is manipulated, allowing an attacker to inject malicious scripts. The attack can be executed remotely and an exploit is publicly available.

Detection Guidance

To detect this XSS vulnerability in the Class and Exam Timetabling System, inspect web traffic for requests to /schoolyr.php with the 'sy' parameter containing suspicious input. Look for reflected or stored XSS patterns like <script> tags or JavaScript events in the response.

Impact Analysis

This XSS vulnerability could allow attackers to execute malicious scripts in a user's browser when they access the affected system. This may lead to theft of session cookies, account hijacking, or defacement of web pages. Users with low privileges could be tricked into triggering the exploit.

Compliance Impact

This XSS vulnerability could potentially violate GDPR by exposing user data through script injection or HIPAA by compromising protected health information if the system handles such data. It undermines security controls required by these regulations.

Mitigation Strategies

Immediately update the application to the latest patched version if available. If no patch exists, implement input validation on the 'sy' parameter to block script tags and other XSS payloads. Use a web application firewall to filter malicious requests targeting this parameter.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-16155. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart