CVE-2026-11337
Description
A reflected cross-site scripting vulnerability in CollegeManagementSystem's fetch.php allows remote attackers to execute arbitrary JavaScript in victims' browsers.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A reflected cross-site scripting vulnerability in CollegeManagementSystem's fetch.php allows remote attackers to execute arbitrary JavaScript in victims' browsers.
Vulnerability
A reflected cross-site scripting (XSS) vulnerability exists in the fetch.php file of the tittuvarghese CollegeManagementSystem. The department_name POST parameter is echoed directly into an HTML `` element without proper sanitization or output encoding, making it susceptible to manipulation.
Exploitation
An attacker can exploit this vulnerability by crafting a malicious POST request to /dashboard_page/forms/fetch.php with the action parameter set to fetch_subject_data and injecting a script payload into the department_name parameter. If a victim's browser renders the HTML response containing this payload (e.g., via an AJAX callback), the script will execute.
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, enabling the theft of session cookies from authenticated users, or facilitate Cross-Site Request Forgery (CSRF)-like actions, such as modifying or deleting data on behalf of the victim.
Mitigation
This product operates on a rolling release basis, and specific version details for affected or updated releases are not available. The project was informed of the vulnerability early via an issue report [1], but as of the available references, no patch or official response has been disclosed. Therefore, no mitigation or fixed version is currently known.
AI Insight generated on Jun 5, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application directly echoes user-supplied input into an HTML element without sanitization or output encoding."
Attack vector
An attacker can exploit this vulnerability by sending a crafted POST request to the `fetch.php` endpoint. The request must include the `action` parameter set to `fetch_subject_data` and a malicious payload within the `department_name` parameter. This payload, such as a `<script>` tag, is then reflected directly into the HTML response. If the response is processed by an AJAX callback and injected into the DOM using methods like `innerHTML`, the embedded script will execute in the victim's browser [ref_id=1].
Affected code
The vulnerability resides in the `fetch.php` file, specifically within the `fetch_subject_data` action. The code directly echoes the `department_name` POST parameter into an HTML `<td>` element without any sanitization or output encoding: `<td><?php echo $department_name.' ('.$department.')'; ?></td>` [ref_id=1].
What the fix does
The advisory does not specify any patches or fixes. The recommended remediation is to properly sanitize or encode the `department_name` parameter before echoing it into the HTML response to prevent script execution [ref_id=1].
Preconditions
- inputThe attacker must control the `department_name` parameter.
- networkThe attacker can send requests remotely.
- inputThe `action` parameter must be set to `fetch_subject_data`.
Reproduction
POST /dashboard_page/forms/fetch.php HTTP/1.1 Host: 127.0.0.1:3000 Content-Type: application/x-www-form-urlencoded action=fetch_subject_data&program=B.Tech&course_code=CS&course=Computer&scheme=2015&semester=1&department=CSE&department_name=%3Cscript%3Ealert(1)%3C%2Fscript%3E
The response will contain the unescaped script tag, which will execute if injected into the DOM [ref_id=1].
Generated on Jun 5, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
0No linked articles in our index yet.