CVE-2026-10112
Description
A vulnerability has been found in sambitraj STUDENT-MANAGEMENT-SYSTEM 1.0. Affected is an unknown function of the component Dashboard Page. The manipulation of the argument Name leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in STUDENT-MANAGEMENT-SYSTEM 1.0 dashboards allows attackers to inject arbitrary JavaScript via unescaped name fields.
Vulnerability
The vulnerability is a stored cross-site scripting (XSS) issue in the STUDENT-MANAGEMENT-SYSTEM version 1.0. The affected component is the Dashboard Page, specifically the admin_dashboard.php, student_dashboard.php, and teacher_dashboard.php files. User-supplied values, such as the Name argument, are directly echoed into HTML attributes without proper encoding (e.g., <?php echo $row['name']?>). This allows an attacker who can insert data into the database to inject malicious scripts. [1][2]
Exploitation
An attacker must first insert a malicious payload into the name field, for example via an unauthenticated addStudent endpoint or other data insertion vulnerability. Once the payload is stored, any user (admin, student, or teacher) who views the corresponding dashboard page will trigger the script. The attack can be initiated remotely without authentication if the data insertion endpoint is unprotected. [2]
Impact
Successful exploitation results in arbitrary JavaScript execution in the victim's browser. This can lead to cookie theft, session hijacking, defacement, or other client-side attacks. The impact is limited to the browser context of the user viewing the dashboard. [2]
Mitigation
The project maintainer has been informed via an issue report but has not responded. No official fix or patched version has been released as of the publication date. Users should sanitize all user-supplied output using functions like htmlspecialchars() in PHP before rendering in HTML attributes. Until a fix is available, consider restricting access to dashboard pages or implementing input validation. [1][2]
- GitHub - sambitraj/STUDENT-MANAGEMENT-SYSTEM: "Student Management System (SMS) is a solution tool that is designed to track, maintain and manage all the data generated by a School, including the grades of a student.
- Stored Cross-Site Scripting (XSS) in Admin, Student, and Teacher Dashboards via Unescaped User Details
AI Insight generated on May 30, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: =1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Directly echoing database values (specifically the 'name' field) inside HTML attributes without HTML entity encoding allows stored cross-site scripting."
Attack vector
An attacker first inserts a malicious payload (e.g., `"><script>alert(document.cookie)</script>`) into the student name field in the database, either through an unauthorised data insertion vulnerability or the unauthenticated addStudent endpoint [ref_id=1]. When an administrator, student, or teacher visits their respective dashboard (admin_dashboard.php, student_dashboard.php, or teacher_dashboard.php), the application echoes the stored name value directly inside an `<input>` tag's `value` attribute without any HTML encoding [ref_id=1]. The injected payload breaks out of the attribute, causing arbitrary JavaScript to execute in the victim's browser. The attack is remote and requires the victim to view the dashboard page, though the CVSS score notes the attacker needs high privileges (PR:H) and user interaction (UI:R).
Affected code
The vulnerability exists in three dashboard files: admin_dashboard.php, student_dashboard.php, and teacher_dashboard.php [ref_id=1]. The issue is in code such as `<input type="text" id="btn1" value="<?php echo $row['name']?>" disabled>` where the `name` field from the database is echoed directly into an HTML attribute without sanitization [ref_id=1].
What the fix does
No patch has been published by the vendor; the project was informed via an issue report but has not responded [ref_id=1]. The remediation recommended by the researcher is to apply HTML entity encoding (e.g., using `htmlspecialchars()` in PHP) to all database values before echoing them into HTML attributes or page content [ref_id=1]. Specifically, the `$row['name']` output in admin_dashboard.php, student_dashboard.php, and teacher_dashboard.php should be wrapped with a function that escapes special characters such as `"`, `'`, `<`, and `>`.
Preconditions
- inputA malicious payload must be stored in the 'name' field of the database (e.g., via unauthorised data insertion or the unauthenticated addStudent endpoint)
- networkA victim (admin, student, or teacher) must visit one of the affected dashboard pages
Reproduction
1. Insert a malicious student name into the database, for example: `"><script>alert(document.cookie)</script>` (via the unauthorised data insertion vulnerability or the unauthenticated addStudent endpoint). 2. Log in (or directly access without authentication, depending on other flaws) and navigate to a dashboard that lists students, e.g., `http://target.com/admin_dashboard.php`. 3. The page renders an `<input>` tag like: `<input type="text" id="btn1" value=""><script>alert(document.cookie)</script>" disabled>`, causing the injected script to execute [ref_id=1].
Generated on May 30, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.