Low severity3.5NVD Advisory· Published Mar 27, 2026· Updated Apr 29, 2026

CVE-2026-4973

Description

A vulnerability was detected in SourceCodester Online Quiz System up to 1.0. Affected by this vulnerability is an unknown functionality of the file endpoint/add-question.php. Performing a manipulation of the argument quiz_question results in cross site scripting. It is possible to initiate the attack remotely. The exploit is now public and may be used.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS in SourceCodester Online Quiz System 1.0 allows teacher-level attackers to inject persistent JavaScript via the quiz_question parameter.

Vulnerability

Overview A stored cross-site scripting (XSS) vulnerability exists in SourceCodester Online Quiz System version 1.0. The flaw resides in the endpoint/add-question.php file, where the quiz_question parameter is not sanitized before being stored in the database. When the stored data is later rendered in quiz.php and take-quiz.php without output encoding (e.g., htmlspecialchars), any injected JavaScript executes in the browsers of users viewing those pages [1].

Exploitation

Prerequisites An attacker must have teacher-level access to the application to reach the Add Question functionality. No additional authentication is required beyond a valid teacher account. The attack is performed remotely by submitting a crafted payload in the quiz_question field. The payload is stored and automatically executed when any user (including students) visits the affected quiz pages [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, account takeover, phishing attacks, or unauthorized actions on behalf of the victim. Because the payload is stored and affects all users who view the quiz, the impact extends beyond a single victim [1].

Mitigation

As of the publication date, no official patch has been released by SourceCodester. The vendor has not acknowledged the vulnerability. Users are advised to apply input sanitization (e.g., htmlspecialchars) on the quiz_question parameter and ensure output encoding in quiz.php and take-quiz.php. Given the public availability of exploit details, immediate remediation is recommended [1].

References

Stored Cross-Site Scripting (XSS) in SourceCodester Online Quiz System

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Sourcecodester/Online Quiz Systemllm-create
Range: <=1.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

gist.github.com/Mohdanass/5992b65cca5612c036f1d31d8d8f0646nvd
vuldb.comnvd
vuldb.comnvd
vuldb.comnvd
www.sourcecodester.comnvd

News mentions

No linked articles in our index yet.

Severity

LowCVSS v3.1

3.5/ 10

CVSS v42.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: Low
User interaction: Required
Scope: Unchanged
Confidentiality: None
Integrity: Low
Availability: None

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

EPSS

Probability of exploitation in the next 30 days.

0.04%

VYPR risk score

Composite of severity, exploitation, and reach.

0.23low

cvss	0.227
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-94
Improper Control of Generation of Code ('Code Injection')

CVE ID

CVE-2026-4973

Credits

A(
Anas22335 (VulDB User)
reporter