VYPR
← All advisories
Unrated severityNVD Advisory· Published May 25, 2026

yashpokharna2555 StudentManagementSystem student.php cross site scripting

CVE-2026-9471

Description

A vulnerability was detected in yashpokharna2555 StudentManagementSystem cb2f558ddf8d19396de0f92abf2d224d46a0a203. This impacts an unknown function of the file /student.php. Performing a manipulation of the argument FIRST_NAME results in cross site scripting. The attack can be initiated remotely. The exploit is now public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS in StudentManagementSystem's student.php via unsanitized FIRST_NAME output allows remote attackers to execute arbitrary JavaScript.

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in the StudentManagementSystem project by yashpokharna2555 [1]. The flaw resides in the file /student.php, where the FIRST_NAME parameter is retrieved from the database and directly output into an HTML ` element without any sanitization or encoding [2]. The project uses continuous delivery with rolling releases, so no specific affected version is available; the commit cb2f558ddf8d19396de0f92abf2d224d46a0a203` is known to be vulnerable [1].

Exploitation

An attacker must first insert a malicious JavaScript payload into the FIRST_NAME field, which can be achieved through a separate unauthorized data insertion vulnerability (also reported in the same issue) [2]. After the payload is stored, any authenticated user who visits /student.php will trigger the script execution in their browser. The proof-of-concept uses `` as the payload [2]. No special network position is required beyond remote access to the application.

Impact

Successful exploitation allows arbitrary JavaScript execution in the context of the victim's session. This can lead to theft of session cookies, enabling full account takeover, and if an administrator triggers the payload, it may result in privilege escalation or back-end data manipulation [2].

Mitigation

No official fix has been released; the project maintainer was informed via an issue report but has not responded [2]. As of the publication date, no patched version exists. Users should sanitize all user-supplied output, especially the FIRST_NAME field, by encoding HTML entities before rendering. Until a fix is available, restricting access to the application or implementing a web application firewall (WAF) rule to block script payloads may reduce risk.

References
  1. GitHub - yashpokharna2555/StudentManagementSystem: Student Management System is a project where all the large records can be easily handled in efficient manner. Technology used for this project are HTML, CSS, JavaScript, PHP, MySQL, SQL
  2. Stored Cross-Site Scripting (XSS) in student.php

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing output sanitization of the FIRST_NAME database field when rendered into an HTML "

Attack vector

An attacker first exploits a separate unauthorized data insertion vulnerability to insert a malicious JavaScript payload into the `FIRST_NAME` field of a student record [ref_id=1]. When any authenticated user (including an administrator) visits `student.php`, the unsanitized `FIRST_NAME` value is rendered inside a `

Affected code

The vulnerability is in the file `student.php`, around line 36. The script retrieves the `FIRST_NAME` field from the database and outputs it directly into an HTML `

What the fix does

No patch has been published by the project maintainer. The advisory recommends sanitizing or encoding the `FIRST_NAME` output in `student.php` before rendering it into the HTML `

Preconditions

  • inputAttacker must have a way to insert a student record with a malicious FIRST_NAME value (the advisory notes this requires a separate unauthorized data insertion vulnerability).
  • authA victim must be authenticated and visit the student.php page.
  • networkThe application must be reachable over the network.

Reproduction

1. Using the separate unauthorized data insertion vulnerability, add a student with the first name: `

Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.