VYPR
← All advisories
Medium severity4.3NVD Advisory· Published May 26, 2026

CVE-2026-9518

CVE-2026-9518

Description

A vulnerability was identified in hemant6488 CodeIgniter-StudentManagementSystem. The impacted element is the function addStudent of the file view_students.php of the component Students Controller. The manipulation of the argument Name leads to cross site scripting. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The project was informed of the problem early through an issue report but has not responded yet.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS vulnerability in CodeIgniter-StudentManagementSystem allows remote unauthenticated attackers to inject arbitrary JavaScript via unsanitized student name input.

Vulnerability

Stored Cross-Site Scripting (XSS) exists in the hemant6488 CodeIgniter-StudentManagementSystem. The addStudent method in the Students controller does not sanitize the Name parameter before storing it in the database. Subsequently, the view_students.php view renders the student name without HTML entity encoding, leading to persistent XSS. The project uses a rolling release, so no specific version is identified; however, the issue is present in the repository as of the advisory date [1].

Exploitation

An unauthenticated remote attacker can send a POST request to the /index.php/students/addStudent endpoint with a malicious name parameter containing a JavaScript payload (e.g., `). The payload is stored and executed when any user visits the student listing page (/index.php/students`). No authentication is required due to a separate broken access control issue [2].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of any user viewing the infected page. This can lead to session hijacking, account takeover (especially if an administrator views the page), defacement, or further attacks via stolen credentials [2].

Mitigation

As of the advisory publication, the vendor has not responded to the issue report and no patch is available. The project adopts a rolling release, so version-specific fixes are not defined. Users are advised to apply input sanitization and output encoding manually, or discontinue use until a fix is provided. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog [1][2].

References
  1. GitHub - hemant6488/CodeIgniter-StudentManagementSystem: Student Management System, using php, mysql, codeigniter and bootstrap.
  2. Stored Cross-Site Scripting (XSS) in `view_students.php` via Unescaped Student Name

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing input sanitization on the Name parameter in addStudent and missing HTML entity encoding in view_students.php allow stored cross-site scripting."

Attack vector

An unauthenticated remote attacker sends a POST request to the addStudent endpoint with a malicious JavaScript payload in the Name parameter (e.g., `XSS<script>alert(1)</script>`) [ref_id=1]. The payload is stored in the database without sanitization. When any user visits the student listing page at `/index.php/students`, the view_students.php file renders the stored name directly without HTML entity encoding, causing the browser to execute the injected script [ref_id=1]. The attack requires no authentication and no special privileges [ref_id=1].

Affected code

The vulnerable code is in `application/views/view_students.php` at lines 33–34, where the student name is rendered without HTML entity encoding [ref_id=1]. The addStudent method in the Students controller stores user-supplied data without input filtering or sanitization [ref_id=1].

What the fix does

No patch has been published by the project maintainer; the project was informed via an issue report but has not responded [ref_id=1]. The remediation requires two changes: (1) the addStudent method must filter or sanitize user-supplied input before storing it in the database, and (2) the view_students.php view must apply HTML entity encoding (e.g., `htmlspecialchars()` in PHP) when rendering the student name to prevent script execution [ref_id=1].

Preconditions

  • networkAttacker must be able to reach the web application over HTTP.
  • inputAttacker must submit a POST request to the addStudent endpoint with a malicious payload in the Name parameter.

Reproduction

1. Send a POST request to the addStudent endpoint with a malicious name value: `curl.exe -i -s -X POST http://localhost:8000/index.php/students/addStudent -d "rno=2026004" -d "name=XSS<script>alert(1)</script>" -d "res_add=XSS" -d "gender=Male" -d "passing_year=2026" -d "interests[]=XSS"` [ref_id=1]. 2. Access the student listing page at `http://localhost:8000/index.php/students` [ref_id=1]. 3. Observe that a JavaScript alert box appears, confirming execution of the injected script [ref_id=1].

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.