VYPR
← All advisories
Low severity3.5NVD Advisory· Published Jun 1, 2026

CVE-2026-10228

CVE-2026-10228

Description

A stored XSS vulnerability in the student management system via the admission form message field allows attackers to execute arbitrary JavaScript in the admin's browser.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A stored XSS vulnerability in the student management system via the admission form message field allows attackers to execute arbitrary JavaScript in the admin's browser.

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in the admission_form_check.php file of the raisulislamg4/student_management_system_by_php project up to commit 310d950e09013d5133c6b9210aff9444382d16d1. The application directly inserts user-supplied input from the Message POST parameter into the database without sanitization. Later, the admissions.php page renders the stored message inside an HTML `` element without output encoding, leading to XSS. The project uses a rolling release model, so no specific version number is available [1][2].

Exploitation

An attacker can exploit this by submitting an admission form with a malicious JavaScript payload in the message field. For example, sending a POST request to /admission_form_check.php with message= stores the payload. When an administrator views the admissions list at admissions.php, the script executes in the admin's browser. No authentication is required to submit the form, and the attack can be performed remotely [1].

Impact

Successful exploitation allows arbitrary JavaScript execution in the context of the administrator's session. This can lead to session hijacking, theft of admin cookies, account takeover, and unauthorized administrative actions such as creating or deleting users, modifying records, and full system compromise [1].

Mitigation

As of the publication date (2026-06-01), no fix has been released. The project maintainer was informed via an issue report but has not responded [1]. Mitigation requires manually sanitizing the Message input (e.g., using htmlspecialchars() in PHP) and properly encoding output in admissions.php. Since the project follows a rolling release, users should monitor the repository for updates [2].

References
  1. Stored Cross-Site Scripting (XSS) in Admission Message Field – Executed on Admin Admissions Page
  2. GitHub - raisulislamg4/student_management_system_by_php

AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The application does not sanitize user-supplied input before storing it in the database and does not encode output when rendering the stored message in the admin panel, enabling stored cross-site scripting."

Attack vector

An unauthenticated attacker submits an admission form with a malicious JavaScript payload in the `message` parameter to `admission_form_check.php`. The payload is stored in the database without sanitization [CWE-79]. When an administrator later visits `admissions.php`, the stored payload is rendered directly into the HTML response and executes in the administrator's browser, enabling session hijacking or further administrative actions [ref_id=1].

Affected code

The vulnerability resides in `admission_form_check.php` (lines 6–23) which inserts the user-supplied `message` parameter into the database without sanitization, and `admissions.php` (lines 45–66) which renders the stored message inside an HTML `<td>` element without output encoding [ref_id=1].

What the fix does

The advisory does not provide a patch. The fix requires two changes: (1) sanitize or validate the `$_POST['message']` input on the server side before storing it in the database, and (2) apply output encoding (e.g. `htmlspecialchars()`) when rendering the `MESSAGE` column in `admissions.php` to prevent the browser from interpreting injected HTML or JavaScript [ref_id=1].

Preconditions

  • networkThe attacker must be able to reach the admission form endpoint (admission_form_check.php) over the network
  • inputThe attacker must submit a POST request with a crafted message parameter containing a JavaScript payload
  • authAn administrator must visit the admissions.php page to trigger the stored payload

Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.