CVE-2026-4576

The vulnerability is a reflected cross-site scripting (XSS) flaw found in the file /admin/update_s5.php of code-projects Exam Form Submission version 1.0. The root cause is that the application takes user input from the sname parameter and outputs it directly to the web page without proper sanitization or encoding, as detailed in the exploit report [1]. This allows an attacker to inject arbitrary HTML and JavaScript code.

Exploitation is straightforward and requires no authentication; the attacker simply crafts a URL with a malicious payload in the sname parameter and tricks a victim into clicking it. The attack can be launched remotely, and no special network access is needed. The payload executes in the context of the victim's browser [1].

Successful exploitation can lead to theft of cookies, session tokens, or other sensitive information, enabling the attacker to perform actions on behalf of the victim, deface the application, or redirect users to malicious sites [1]. The severity is rated low (CVSS 2.4) due to the need for user interaction, but the impact can be significant if an admin is targeted.

No official patch has been released by the vendor, code-projects [2], as of the publication date. The vendor's site [2] still hosts the vulnerable code. Suggested mitigations include proper output encoding of the sname parameter. Since the exploit is public, users of this software should apply input validation and encoding immediately [1].