Medium severity4.3NVD Advisory· Published Mar 12, 2026· Updated Apr 29, 2026

CVE-2026-3982

Description

A vulnerability was determined in itsourcecode University Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /view_result.php. Executing a manipulation of the argument vr can lead to cross site scripting. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cross-site scripting (XSS) vulnerability in itsourcecode University Management System 1.0 via the vr parameter in /view_result.php allows remote unauthenticated attackers to execute arbitrary scripts in victims' browsers.

A reflected cross-site scripting (XSS) vulnerability exists in the /view_result.php file of itsourcecode University Management System 1.0. The root cause is the lack of proper input validation and output encoding for the 'vr' parameter; user-supplied data is directly rendered into the web page, allowing injection of arbitrary HTML and JavaScript code [1].

Exploitation does not require authentication. An attacker can craft a malicious URL containing a script payload in the vr parameter and lure a victim to visit it. For example, the payload `` demonstrates script execution. The vulnerability is publicly known and can be triggered remotely [1].

Impact includes theft of cookies and session tokens, which could lead to account takeover. The attacker can also perform actions impersonating the victim, deface content, redirect users to malicious websites, or gain further control over the victim's browser, posing a significant threat to confidentiality and integrity [1].

No official patch has been announced. Users are advised to sanitize the 'vr' parameter and apply output encoding to prevent XSS attacks. Since the exploit code is public, immediate mitigation is recommended [1].

References

itsourcecode University Management System Project V1.0 /view_result.php cross site scripting

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Angeljudesuarez/University Management Systemllm-fuzzy
Range: =1.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

Severity

MediumCVSS v3.1

4.3/ 10

CVSS v42.1

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: None
User interaction: Required
Scope: Unchanged
Confidentiality: None
Integrity: Low
Availability: None

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

EPSS

Probability of exploitation in the next 30 days.

0.05%

VYPR risk score

Composite of severity, exploitation, and reach.

0.28low

cvss	0.280
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-94
Improper Control of Generation of Code ('Code Injection')

CVE ID

CVE-2026-3982

Credits

P(
PiPizzz (VulDB User)
reporter