Platform
php
Component
student-management-system
Fixed in
1.0.1
CVE-2026-5643 describes a cross-site scripting (XSS) vulnerability discovered in Cyber-III Student-Management-System. This flaw allows attackers to inject malicious scripts into the application, potentially leading to session hijacking or defacement. The vulnerability affects versions up to 1a938fa61e9f735078e9b291d2e6215b4942af3f, and a public proof-of-concept is available. Due to the project's rolling release model, specific fixed versions are not available.
Successful exploitation of CVE-2026-5643 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session on the Cyber-III Student-Management-System. This can lead to various malicious outcomes, including stealing user credentials (usernames and passwords), redirecting users to phishing sites, or modifying the content displayed on the application. The attacker could potentially gain unauthorized access to sensitive student data or administrative functions, depending on the user's privileges. The remote nature of the vulnerability means an attacker does not need to be on the same network as the server to exploit it.
CVE-2026-5643 is a relatively low-severity vulnerability due to its CVSS score of 2.4. However, the availability of a public proof-of-concept significantly increases the risk of exploitation. While no active campaigns have been publicly reported, the ease of exploitation means it could be leveraged in opportunistic attacks. The vulnerability was publicly disclosed on 2026-04-06.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
Given the rolling release nature of Cyber-III Student-Management-System, a specific patched version is not immediately available. The primary mitigation is to apply the latest updates as they are released. Until an update is available, consider implementing input validation and output encoding on the /admin/Add%20notice/notice.php endpoint to sanitize the $SERVER['PHPSELF'] argument. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a layer of protection. Regularly review application logs for suspicious activity, particularly requests targeting the vulnerable endpoint.
Update the Student-Management-System to a patched version. Because the project uses a rolling release model, consult the project documentation or contact the vendor for information on affected versions and available updates. Implement proper user input validation and sanitization to prevent XSS attacks.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-5643 is a cross-site scripting (XSS) vulnerability affecting Cyber-III Student-Management-System versions up to 1a938fa61e9f735078e9b291d2e6215b4942af3f. It allows attackers to inject malicious scripts.
If you are using Cyber-III Student-Management-System version 1a938fa61e9f735078e9b291d2e6215b4942af3f or earlier, you are potentially affected by this vulnerability.
Due to the rolling release model, a specific patched version is not immediately available. Apply the latest updates as they are released and implement input validation and output encoding as a temporary mitigation.
While no active campaigns have been publicly reported, the availability of a public proof-of-concept increases the risk of exploitation.
Refer to the project's official channels for updates and advisories regarding CVE-2026-5643.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.