Platform
php
Component
student-management-system
Fixed in
1.0.1
CVE-2026-5668 describes a cross-site scripting (XSS) vulnerability discovered in Cyber-III Student-Management-System. This flaw allows attackers to inject malicious scripts via manipulation of the $SERVER['PHPSELF'] argument within the /admin/Add%20notice/add%20notice.php file. The vulnerability affects versions up to 1a938fa61e9f735078e9b291d2e6215b4942af3f, and exploitation is possible remotely. Due to the rolling release model, specific version details are unavailable.
Successful exploitation of CVE-2026-5668 allows an attacker to inject arbitrary JavaScript code into the Cyber-III Student-Management-System. This can lead to a variety of malicious outcomes, including session hijacking, defacement of the application, and redirection of users to phishing sites. An attacker could potentially steal sensitive student data, modify records, or gain unauthorized access to administrative functions. The remote nature of the vulnerability expands the potential attack surface significantly, as it doesn't require local access to the system. The published exploit increases the likelihood of immediate exploitation.
The exploit for CVE-2026-5668 has been publicly released, indicating a higher probability of exploitation. While the CVSS score is LOW (2.4), the availability of a public exploit significantly increases the risk. The vulnerability was reported to the project early, but a fix is not yet available due to the rolling release model. It is recommended to monitor for exploitation attempts and implement mitigations as quickly as possible.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
Given the rolling release nature of Cyber-III Student-Management-System, a direct upgrade to a patched version may not be immediately available. The primary mitigation strategy involves implementing a Web Application Firewall (WAF) rule to filter potentially malicious input to the /admin/Add%20notice/add%20notice.php endpoint. Strict input validation on the $SERVER['PHPSELF'] parameter is also crucial, ensuring that only expected characters and formats are accepted. Consider implementing Content Security Policy (CSP) to restrict the sources from which scripts can be executed. After implementing WAF rules and input validation, test the application thoroughly to ensure that legitimate functionality is not impacted.
Update the Student-Management-System to a patched version. Due to the project using a continuous release model and not providing specific version details, contact the vendor for information on updated versions and apply the necessary updates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-5668 is a cross-site scripting (XSS) vulnerability in Cyber-III Student-Management-System versions up to 1a938fa61e9f735078e9b291d2e6215b4942af3f, allowing attackers to inject malicious scripts.
If you are using Cyber-III Student-Management-System version 1a938fa61e9f735078e9b291d2e6215b4942af3f or earlier, you are potentially affected by this vulnerability.
Due to the rolling release model, a direct upgrade may not be immediately available. Implement WAF rules, input validation, and consider CSP as mitigations.
A public proof-of-concept exists, suggesting a higher likelihood of active exploitation. Monitor for suspicious activity and apply mitigations promptly.
Refer to the project's official communication channels and issue tracker for updates regarding this vulnerability.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.