Platform
php
Component
cve-niuzzz
Fixed in
1.0.1
A cross-site scripting (XSS) vulnerability has been identified in Exam Form Submission version 1.0. This flaw resides within the /admin/update_s7.php file and allows attackers to inject malicious scripts by manipulating the 'sname' argument. The vulnerability is publicly known and could be exploited to compromise administrative interfaces. A fix is available.
Successful exploitation of CVE-2026-4909 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session on the Exam Form Submission application. This can lead to session hijacking, credential theft, and defacement of the application's administrative interface. The attacker could potentially gain unauthorized access to sensitive data or modify application settings. Given the publicly available exploit, the risk of exploitation is elevated.
CVE-2026-4909 has a LOW CVSS score of 2.4. A public proof-of-concept exploit is available, indicating a higher probability of exploitation. The vulnerability was disclosed on 2026-03-27. No KEV listing or confirmed exploitation campaigns are currently known.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-4909 is to upgrade to a patched version of Exam Form Submission. If upgrading immediately is not possible, implement strict input validation and output encoding on the 'sname' parameter within /admin/update_s7.php. Consider using a Web Application Firewall (WAF) with XSS filtering rules to block malicious requests. Regularly review and sanitize user-supplied input to prevent similar vulnerabilities from arising.
Update the Exam Form Submission software to a corrected version that mitigates the XSS vulnerability. Apply input validation and sanitization to the 'sname' parameter in the /admin/update_s7.php file to prevent the injection of malicious code. Consider using context-specific escaping functions (HTML, JavaScript, etc.).
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-4909 is a cross-site scripting vulnerability in Exam Form Submission version 1.0, affecting the /admin/update_s7.php file. Attackers can inject malicious scripts by manipulating the 'sname' parameter.
Yes, if you are using Exam Form Submission version 1.0, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as possible.
The recommended fix is to upgrade to a patched version of Exam Form Submission. If upgrading is not immediately possible, implement input validation and output encoding on the 'sname' parameter.
A public proof-of-concept exploit is available, suggesting a potential for active exploitation. Monitor your systems closely.
Refer to the official Exam Form Submission project website or repository for the latest security advisories and updates related to CVE-2026-4909.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.