Plattform
php
Komponente
cve1
Behoben in
1.0.1
A cross-site scripting (XSS) vulnerability has been identified in Exam Form Submission version 1.0. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user sessions and data integrity. The vulnerability resides within the /admin/update_s1.php file, specifically related to the handling of the 'sname' argument. A fix is available.
Successful exploitation of CVE-2026-4557 allows an attacker to execute arbitrary JavaScript code in the context of a user's browser. This can lead to session hijacking, defacement of the application, or the theft of sensitive information, such as login credentials or personal data. Given the location of the vulnerable file (/admin/update_s1.php), an attacker who gains access to the administrative interface could potentially compromise the entire application and its underlying data. The public availability of an exploit significantly increases the risk of widespread exploitation.
This vulnerability is considered actively exploitable due to the public availability of a proof-of-concept. It was disclosed on 2026-03-22. While no specific threat actors have been linked to exploitation, the ease of exploitation makes it a potential target for opportunistic attackers. The vulnerability is not currently listed on CISA KEV.
Administrators and users of Exam Form Submission version 1.0 are at risk. Shared hosting environments where multiple applications share the same server are particularly vulnerable, as a compromise of one application could potentially lead to the compromise of others. Users who rely on the application for sensitive data management are also at heightened risk.
• php / web:
grep -r "sname = [^\"].*?" /var/www/exam_form_submission/• generic web:
curl -I http://your-exam-form-submission-site.com/admin/update_s1.php?sname=<script>alert(1)</script>disclosure
Exploit-Status
EPSS
0.03% (10% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-4557 is to upgrade to the patched version of Exam Form Submission. If an immediate upgrade is not feasible, implement a Web Application Firewall (WAF) rule to filter out malicious input containing script tags or other XSS payloads targeting the 'sname' parameter in /admin/update_s1.php. Input validation and sanitization on the server-side are also crucial to prevent the injection of malicious code. Consider implementing Content Security Policy (CSP) to restrict the sources from which scripts can be executed.
Aktualisieren Sie die Exam Form Submission Anwendung auf eine gepatchte Version, die die Cross-Site Scripting (XSS) Vulnerabilität behebt. Alternativ, wenden Sie ein manuelles Patch auf die Datei /admin/update_s1.php an, um die Benutzereingabe im Parameter 'sname' korrekt zu validieren und zu escapen, bevor sie auf der Seite angezeigt wird.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-4557 is a cross-site scripting (XSS) vulnerability in Exam Form Submission version 1.0, allowing attackers to inject malicious scripts via the 'sname' parameter in /admin/update_s1.php.
If you are using Exam Form Submission version 1.0, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as possible.
Upgrade to the latest patched version of Exam Form Submission. If upgrading is not immediately possible, implement WAF rules to filter malicious input and sanitize server-side input.
Yes, a public exploit is available, indicating a high probability of active exploitation.
Refer to the official Exam Form Submission project website or repository for the latest security advisories and updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.