Platform
php
Fixed in
1.0.1
A cross-site scripting (XSS) vulnerability has been discovered in Code-Projects Online Student Management System version 1.0. This weakness resides within an unknown function of the /admin/announcement/index.php?view=add file within the Announcement Management Module. Successful exploitation could allow an attacker to inject malicious scripts, potentially compromising user sessions and data.
The XSS vulnerability allows an attacker to inject arbitrary JavaScript code into the web page viewed by other users. This can lead to various malicious actions, including stealing user credentials (session hijacking), redirecting users to phishing sites, or defacing the website. Given the location within the announcement management module, an attacker could potentially craft a malicious announcement that, when viewed by administrators or other users, triggers the XSS payload. The public availability of the exploit increases the risk of widespread exploitation.
The exploit for CVE-2026-2156 is publicly available, indicating a higher probability of exploitation. While the CVSS score is LOW (2.4), the ease of exploitation and potential impact warrant immediate attention. No KEV listing or active campaigns have been reported as of the publication date. The vulnerability was publicly disclosed on 2026-02-08.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade to a patched version of Code-Projects Online Student Management System. Since a fixed version is not specified, immediate action is crucial. As a temporary workaround, implement strict input validation on all user-supplied data within the announcement management module, specifically the view=add endpoint. Employ robust output encoding to prevent injected scripts from being executed by the browser. Consider implementing a Web Application Firewall (WAF) with XSS protection rules to filter out malicious requests.
Update the Online Student Management System to a version later than 1.0 that fixes the Cross-Site Scripting (XSS) vulnerability in the announcement management module. If no version is available, it is recommended to disable or remove the announcement management module until a solution is published.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-2156 is a cross-site scripting (XSS) vulnerability affecting Code-Projects Online Student Management System version 1.0, allowing attackers to inject malicious scripts.
If you are using Code-Projects Online Student Management System version 1.0, you are potentially affected by this vulnerability. Upgrade is the recommended solution.
Upgrade to a patched version of the software. As a temporary workaround, implement strict input validation and output encoding.
The exploit is publicly available, suggesting a potential for active exploitation. Monitor your systems for suspicious activity.
Refer to the Code-Projects website or security mailing lists for the official advisory regarding CVE-2026-2156.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.