Platform
php
Component
hajimi
Fixed in
1.0.1
CVE-2026-5106 describes a cross-site scripting (XSS) vulnerability discovered in Exam Form Submission version 1.0. This flaw resides within the /admin/update_fst.php file, specifically in an unknown function. An attacker can exploit this vulnerability by manipulating the 'sname' argument, potentially leading to malicious script execution within a user's browser. A public exploit is already available.
Successful exploitation of CVE-2026-5106 allows an attacker to inject arbitrary JavaScript code into the Exam Form Submission application. This could lead to various malicious outcomes, including session hijacking, defacement of the application's administrative interface, and redirection of users to phishing sites. The attacker could steal sensitive data entered into the exam forms, potentially compromising student information or exam results. Because the vulnerability is remotely exploitable, the blast radius extends to any user accessing the vulnerable administrative panel.
The exploit for CVE-2026-5106 has been publicly released, indicating a higher likelihood of exploitation. While the CVSS score is LOW (2.4), the availability of a public exploit significantly increases the risk. No KEV listing or active exploitation campaigns have been reported as of the publication date (2026-03-30).
Exploit Status
EPSS
0.03% (8% percentile)
CISA SSVC
CVSS Vector
As a direct fix is pending, immediate mitigation focuses on preventing exploitation. Implement strict input validation on the 'sname' parameter in /admin/update_fst.php, rejecting any input containing potentially malicious characters. Employ robust output encoding to sanitize any data displayed to users, preventing injected scripts from executing. Consider implementing a Web Application Firewall (WAF) with rules to detect and block XSS attempts targeting this specific endpoint. Regularly review and update the application's codebase to address potential security vulnerabilities.
Update to a patched version or apply the necessary security measures to prevent the injection of malicious code through the 'sname' parameter in the file '/admin/update_fst.php'. Validate and sanitize user inputs to prevent Cross-Site Scripting (XSS) attacks.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-5106 is a cross-site scripting (XSS) vulnerability in Exam Form Submission version 1.0, affecting the /admin/update_fst.php file. Exploitation involves manipulating the 'sname' argument to inject malicious scripts.
If you are using Exam Form Submission version 1.0 and have not applied a fix, you are potentially vulnerable. Administrators and users accessing /admin/update_fst.php are at highest risk.
A direct fix is pending. Mitigate by implementing strict input validation on the 'sname' parameter and robust output encoding. Consider a WAF to block XSS attempts.
While no active campaigns are confirmed, a public exploit is available, increasing the likelihood of exploitation.
Refer to the code-projects website or relevant security mailing lists for updates and advisories regarding CVE-2026-5106.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.