CVE-2026-16202
Received Received - Intake

Cross-Site Scripting in Class and Exam Timetabling System

Vulnerability report for CVE-2026-16202, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-19

Last updated on: 2026-07-19

Assigner: VulDB

Description

A vulnerability was determined in SourceCodester Class and Exam Timetabling System 1.0. Affected by this vulnerability is an unknown functionality of the file /CYS.php. This manipulation of the argument course causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-19
Last Modified
2026-07-19
Generated
2026-07-19
AI Q&A
2026-07-19
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
sourcecodester class_and_exam_timetabling_system 1.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a Cross-Site Scripting (XSS) flaw in the Class and Exam Timetabling System 1.0. The issue occurs in the /CYS.php file where the 'course' parameter is not properly validated or encoded. Attackers can inject malicious scripts via this parameter, which executes in the victim's browser.

Detection Guidance

To detect this XSS vulnerability, inspect the /CYS.php file for improper handling of the 'course' parameter. Check if user input is reflected without proper encoding. Use browser developer tools to inspect network requests and responses for the 'course' parameter. Test by injecting harmless script tags like <script>alert(1)</script> in the parameter to see if it executes.

Impact Analysis

An attacker could exploit this to steal sensitive data like cookies or session tokens, perform unauthorized actions, deface web pages, or redirect users to malicious sites. Exploitation can occur remotely without requiring login or authorization.

Compliance Impact

This XSS vulnerability could lead to unauthorized access to sensitive data, such as session tokens or cookies, which may contain personal or health information. This could violate GDPR if personal data is exposed and HIPAA if protected health information is compromised. The lack of input validation and output encoding increases the risk of such breaches.

Mitigation Strategies

Immediately validate and sanitize all user inputs, especially the 'course' parameter in /CYS.php. Implement proper output encoding before rendering data. Add Content Security Policy headers to restrict script execution. Set secure and HttpOnly flags for cookies to mitigate session hijacking risks. Update the system to the latest patched version if available.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-16202. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart