CVE-2026-16220
Received Received - Intake

Online Examination System 1.0 Cross Site Scripting via eid/n/t

Vulnerability report for CVE-2026-16220, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-19

Last updated on: 2026-07-19

Assigner: VulDB

Description

A vulnerability has been found in code-projects Online Examination System 1.0. This vulnerability affects unknown code of the file /account.php?q=quiz. Such manipulation of the argument eid/n/t leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-19
Last Modified
2026-07-19
Generated
2026-07-19
AI Q&A
2026-07-19
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This is a reflected Cross-Site Scripting (XSS) vulnerability in the Online Examination System 1.0. It occurs in the account.php file when handling quiz parameters. The system fails to sanitize user input in the eid, n, and t parameters, allowing malicious scripts to be injected via the n parameter. These scripts execute in the victim's browser when they access a crafted URL.

Detection Guidance

To detect this reflected XSS vulnerability, inspect the /account.php?q=quiz URL parameters eid, n, and t for unsanitized input. Check if the n parameter reflects in the HTML response without encoding. Use browser developer tools to monitor network requests and responses for these parameters.

Impact Analysis

An attacker could exploit this to execute arbitrary JavaScript in your browser during an authenticated student session. This may lead to session theft, sensitive data exposure, page manipulation, phishing attacks, or unauthorized actions performed on your behalf without your knowledge.

Compliance Impact

This reflected XSS vulnerability could lead to unauthorized access to sensitive data, such as exam results or personal information, which may violate GDPR's data protection requirements. For HIPAA, if the system handles protected health information, the lack of input validation could expose patient data, risking compliance with HIPAA's security rules.

Mitigation Strategies

Implement strict input validation for the eid, n, and t parameters in /account.php. Apply output encoding when rendering these parameters in HTML. Ensure all user inputs are sanitized before being included in the page. Consider using Content Security Policy (CSP) headers to mitigate XSS risks.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-16220. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart