CVE-2026-4909

Root

Cause A cross-site scripting (XSS) vulnerability exists in code-projects Exam Form Submission 1.0, specifically in the /admin/update_s7.php file. The root cause is that the application takes user input from the sname parameter and outputs it directly to the web page without proper encoding or filtering [1]. This lack of sanitization allows an attacker to inject arbitrary HTML or JavaScript code.

Exploitation

An attacker can exploit this vulnerability remotely without requiring any authentication or prior authorization [1]. The attack is initiated by sending a crafted request to the vulnerable endpoint with a malicious payload in the sname parameter. The provided proof-of-concept uses a simple `` payload to demonstrate execution [1]. Because no login is needed, the attack surface is broad, and any user who visits the affected page after the payload is stored will trigger the script.

Impact

Successful exploitation allows an attacker to execute arbitrary script code in the victim's browser. This can lead to theft of cookies, session tokens, or other sensitive information, performing actions on behalf of the victim, defacing web pages, redirecting users to malicious sites, or even gaining control of the victim's browser [1]. The impact is limited by the low CVSS score (2.4), but the public availability of exploit code increases the risk of real-world attacks.

Mitigation

The vendor has not released a patch as of the publication date. The recommended fix is to properly encode user output when rendering it on the web page, ensuring that any injected script code is treated as text rather than executable code [1]. Users of this software should apply input validation and output encoding as a workaround until an official update is available.