VYPR
← All advisories
Low severity3.5NVD Advisory· Published Jun 8, 2026

CVE-2026-11534

CVE-2026-11534

Description

Cross-site scripting vulnerability in imvks786 student_management_system allows remote attackers to inject malicious scripts.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cross-site scripting vulnerability in imvks786 student_management_system allows remote attackers to inject malicious scripts.

Vulnerability

A cross-site scripting (XSS) vulnerability exists in the imvks786 student_management_system up to commit 9599b560ad3c3b83e75d328b76bedcd489ef1f46. The vulnerability lies within the /add.php file, where user-supplied input for name, address, and fname is directly concatenated into an SQL query without sanitization. Subsequently, multiple pages display this data without output encoding, allowing for script injection [1]. Version details for affected and updated releases are not available due to the project's rolling release model [2].

Exploitation

An attacker can exploit this vulnerability by submitting a new student record via a POST request to /add.php. The name or address fields should contain a malicious script payload, such as <svg/onload=alert(1337)>. This crafted input is then stored in the database. The vulnerability is remotely exploitable and requires no special privileges beyond the ability to add a student record [1].

Impact

When any user, including administrators, teachers, or students, views the student records that contain the malicious payload (e.g., on see.php or student profile pages), the injected JavaScript will execute in their browser. This can lead to session theft, cookie hijacking, and potentially further compromise of the user's account or the system [1].

Mitigation

As of the available references, no patched version or specific mitigation has been released by the project. The project was reportedly informed early through an issue report but has not yet responded [1, 2]. It is advisable to monitor the project's GitHub repository for any future updates or advisories.

References
  1. Stored Cross‑Site Scripting (XSS) in Student Records – Multiple Output Points
  2. GitHub - imvks786/student_management_system: This is simple student management system coded in HTML, CSS, JAVASCRIPT AND PHP as front-end languages. And at backend the SQL server is used for query processing.

AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The application fails to sanitize user-supplied input before inserting it into the database and later echoing it into HTML."

Attack vector

An attacker can submit a new student record via a POST request to `/add.php`, manipulating fields such as 'name' or 'address' with a malicious script payload. This payload is then stored in the database. When any user views student records on pages like `see.php` or `seeall.php`, the stored script is executed in their browser, enabling remote attacks [ref_id=1].

Affected code

The vulnerability exists in the `/add.php` script, specifically in lines 9-20, where user input from POST fields like 'name', 'address', and 'fname' is directly concatenated into an SQL query without sanitization. Subsequently, multiple pages including `see.php` (lines 83-90), `seeall.php` (lines 129-175), `phone/record.php` (lines 45-89), and `std_home/std_profile.php` (lines 48-90) echo raw database values directly into HTML without output encoding [ref_id=1].

What the fix does

The advisory does not specify a patch or provide details on how the vulnerability is fixed. It notes that the project was informed early but has not responded. Therefore, no remediation details are available.

Preconditions

  • authThe attacker must have an account with write access to add student records.
  • networkThe attack can be launched remotely.

Reproduction

Log in with an account that can add students. Send a POST request to `/add.php` with a crafted `name` field, for example, `<svg/onload=alert(1337)>`. After the student is added, navigate to any page that lists student records, such as `see.php`. The injected script will execute in the browser [ref_id=1].

Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.