Platform
php
Component
student-management-system
Fixed in
1.0.1
A cross-site scripting (XSS) vulnerability has been identified in Cyber-III Student-Management-System, affecting versions up to 1a938fa61e9f735078e9b291d2e6215b4942af3f. This flaw allows attackers to inject malicious scripts into the application, potentially stealing user data or performing actions on their behalf. Due to the product's rolling release model, specific affected and updated versions are not available. The vendor has been notified and is likely working on a fix.
The XSS vulnerability in Cyber-III Student-Management-System allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious outcomes, including session hijacking, defacement of the application, and redirection to phishing sites. Attackers could steal sensitive information like student records, grades, or administrative credentials. Given the nature of student management systems, a successful attack could also compromise the privacy of a large number of individuals. The vulnerability's remote accessibility significantly broadens the potential attack surface.
This vulnerability has a CVSS score of 2.4 (LOW), indicating a relatively limited impact. However, the availability of a public exploit significantly increases the risk of exploitation. The lack of specific version details complicates patching efforts. Monitor security advisories and community discussions for updates and potential exploitation patterns. The description indicates the exploit has been released to the public, suggesting active scanning and potential attacks are already underway.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
Due to the rolling release nature of Cyber-III Student-Management-System, a specific patched version is not yet available. Immediate mitigation strategies include implementing strict input validation on the $SERVER['PHPSELF'] parameter within the /admin/Add%20notice/batch-notice.php file. Employing output encoding techniques, such as HTML entity encoding, can prevent the browser from interpreting injected scripts as executable code. Web application firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly review and update security policies to address emerging threats.
Update the Student-Management-System to a patched version. Due to the nature of continuous updates, consult the vendor's documentation or contact support for information on patched versions and upgrade steps. The project has not responded to issue reports, so it is crucial to monitor vendor updates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-5644 is a cross-site scripting (XSS) vulnerability affecting Cyber-III Student-Management-System versions up to 1a938fa61e9f735078e9b291d2e6215b4942af3f, allowing attackers to inject malicious scripts.
If you are using Cyber-III Student-Management-System version 1a938fa61e9f735078e9b291d2e6215b4942af3f or earlier, you are potentially affected by this XSS vulnerability.
Due to the rolling release model, a specific patch is not yet available. Mitigate by implementing strict input validation and output encoding, and consider using a WAF.
A public exploit exists, suggesting active scanning and potential attacks are already underway.
Consult the Cyber-III project website and security mailing lists for the latest advisory regarding CVE-2026-5644.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.