Low severity2.4NVD Advisory· Published Mar 23, 2026· Updated Apr 29, 2026

CVE-2026-4578

Description

A vulnerability was determined in code-projects Exam Form Submission 1.0. The impacted element is an unknown function of the file /admin/update_s3.php. Executing a manipulation of the argument sname can lead to cross site scripting. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A reflected XSS vulnerability in code-projects Exam Form Submission 1.0's /admin/update_s3.php allows remote attackers to inject arbitrary scripts via the sname parameter.

A reflected cross-site scripting (XSS) vulnerability exists in code-projects Exam Form Submission version 1.0, specifically in the file /admin/update_s3.php. The issue originates from the sname parameter, where user input is directly output to the web page without proper encoding or filtering, allowing an attacker to inject malicious script code [1].

The vulnerability can be exploited remotely without requiring any authentication or login. An attacker simply needs to craft a URL containing a malicious payload in the sname parameter, such as ``, and trick a victim into visiting it. The injected script then executes in the victim's browser [1].

Successful exploitation enables an attacker to steal cookies, session tokens, or other sensitive information, perform actions on behalf of the victim, deface web pages, redirect users to malicious sites, or even gain control over the victim's browser. This poses a threat to user privacy and the security of the application [1].

As of the publication date (March 23, 2026), the vulnerability has been publicly disclosed with a proof-of-concept. The vendor recommends implementing output encoding for the sname parameter to mitigate the issue. No official patch has been mentioned, and the software version 1.0 is affected.

References

code-projects Exam Form Submission Project V1.0 /admin/update_s3.php cross site scripting

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Code Projects/Exam Form Submissionllm-fuzzy
Range: =1.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

Severity

LowCVSS v3.1

2.4/ 10

CVSS v41.9

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: High
User interaction: Required
Scope: Unchanged
Confidentiality: None
Integrity: Low
Availability: None

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N

EPSS

Probability of exploitation in the next 30 days.

0.04%

VYPR risk score

Composite of severity, exploitation, and reach.

0.16low

cvss	0.156
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-94
Improper Control of Generation of Code ('Code Injection')

CVE ID

CVE-2026-4578

Credits

R(
Rocky__Cheng (VulDB User)
reporter