Plateforme
php
Corrigé dans
1.0.1
A cross-site scripting (XSS) vulnerability has been discovered in Code-Projects Online Student Management System version 1.0. This weakness resides within an unknown function of the /admin/announcement/index.php?view=add file within the Announcement Management Module. Successful exploitation could allow an attacker to inject malicious scripts, potentially compromising user sessions and data.
The XSS vulnerability allows an attacker to inject arbitrary JavaScript code into the web page viewed by other users. This can lead to various malicious actions, including stealing user credentials (session hijacking), redirecting users to phishing sites, or defacing the website. Given the location within the announcement management module, an attacker could potentially craft a malicious announcement that, when viewed by administrators or other users, triggers the XSS payload. The public availability of the exploit increases the risk of widespread exploitation.
The exploit for CVE-2026-2156 is publicly available, indicating a higher probability of exploitation. While the CVSS score is LOW (2.4), the ease of exploitation and potential impact warrant immediate attention. No KEV listing or active campaigns have been reported as of the publication date. The vulnerability was publicly disclosed on 2026-02-08.
Administrators and users of Code-Projects Online Student Management System version 1.0 are at risk. Shared hosting environments where multiple users share the same instance of the software are particularly vulnerable, as a compromised account could be used to inject malicious announcements affecting all users.
• generic web: Monitor access logs for suspicious requests to /admin/announcement/index.php?view=add containing unusual characters or patterns. Use curl to test the endpoint with various payloads and observe the response for signs of script execution.
curl -X POST -d "<script>alert('XSS')</script>" http://your-target/admin/announcement/index.php?view=add• php: Examine the source code of /admin/announcement/index.php for missing or inadequate input validation and output encoding functions. Search for instances where user-supplied data is directly inserted into HTML without proper sanitization.
disclosure
Statut de l'Exploit
EPSS
0.04% (percentile 11%)
CISA SSVC
Vecteur CVSS
The primary mitigation is to upgrade to a patched version of Code-Projects Online Student Management System. Since a fixed version is not specified, immediate action is crucial. As a temporary workaround, implement strict input validation on all user-supplied data within the announcement management module, specifically the view=add endpoint. Employ robust output encoding to prevent injected scripts from being executed by the browser. Consider implementing a Web Application Firewall (WAF) with XSS protection rules to filter out malicious requests.
Mettre à jour le système Online Student Management System vers une version ultérieure à la 1.0 qui corrige la vulnérabilité de Cross-Site Scripting (XSS) dans le module de gestion des annonces. Si aucune version n'est disponible, il est recommandé de désactiver ou de supprimer le module de gestion des annonces jusqu'à ce qu'une solution soit publiée.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-2156 is a cross-site scripting (XSS) vulnerability affecting Code-Projects Online Student Management System version 1.0, allowing attackers to inject malicious scripts.
If you are using Code-Projects Online Student Management System version 1.0, you are potentially affected by this vulnerability. Upgrade is the recommended solution.
Upgrade to a patched version of the software. As a temporary workaround, implement strict input validation and output encoding.
The exploit is publicly available, suggesting a potential for active exploitation. Monitor your systems for suspicious activity.
Refer to the Code-Projects website or security mailing lists for the official advisory regarding CVE-2026-2156.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.