Plateforme
php
Corrigé dans
1.0.1
CVE-2026-4577 describes a cross-site scripting (XSS) vulnerability discovered in code-projects Exam Form Submission version 1.0. This flaw allows an attacker to inject malicious scripts into the application, potentially compromising user data and session integrity. The vulnerability resides within the /admin/update_s4.php file, specifically in an unknown function. A public exploit is available, increasing the risk of exploitation.
Successful exploitation of CVE-2026-4577 enables an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious activities, including session hijacking, credential theft, and defacement of the application's interface. The attacker could potentially gain access to sensitive data stored within the application or redirect users to malicious websites. Given the public availability of an exploit, the risk of exploitation is elevated, particularly for systems that are not promptly patched.
CVE-2026-4577 has been publicly disclosed and a proof-of-concept exploit is available, indicating a moderate risk of exploitation. The vulnerability is not currently listed on CISA KEV. The LOW CVSS score reflects the relatively simple nature of the exploit and the potential for limited impact, but the public availability of the exploit warrants immediate attention.
Administrators and users of Exam Form Submission 1.0 are at risk. Systems with weak input validation or lacking a WAF are particularly vulnerable. Shared hosting environments utilizing this software are also at increased risk due to the potential for cross-tenant exploitation.
• php / server:
grep -r 'sname' /var/www/html/admin/update_s4.php• generic web:
curl -I http://your-exam-form-submission-url/admin/update_s4.php?sname=<script>alert(1)</script>• generic web:
curl 'http://your-exam-form-submission-url/admin/update_s4.php?sname=<img src=x onerror=alert(1)>' -s -o /dev/null -w '%{http_code}
'disclosure
Statut de l'Exploit
EPSS
0.03% (percentile 9%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-4577 is to upgrade to a patched version of Exam Form Submission. Since a fixed version is not specified, thoroughly review the code-projects repository for updates and security advisories. As a temporary workaround, implement strict input validation and output encoding on the 'sname' parameter within the /admin/update_s4.php file. Consider using a Web Application Firewall (WAF) with XSS filtering rules to block malicious requests. After applying mitigation steps, verify the fix by attempting to inject a simple XSS payload (e.g., <script>alert(1)</script>) through the 'sname' parameter and confirming that it is properly sanitized.
Mettre à jour vers une version corrigée ou appliquer les mesures de sécurité nécessaires pour éviter l'injection de code malveillant via le paramètre 'sname' dans le fichier '/admin/update_s4.php'. La validation et le nettoyage des entrées utilisateur sont cruciaux pour prévenir les attaques XSS (Cross-Site Scripting).
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-4577 is a cross-site scripting (XSS) vulnerability in Exam Form Submission 1.0, allowing attackers to inject malicious scripts via the 'sname' parameter in /admin/update_s4.php.
If you are using Exam Form Submission version 1.0 and have not applied a patch, you are potentially affected by this XSS vulnerability.
Upgrade to a patched version of Exam Form Submission. If a patch is unavailable, implement strict input validation and output encoding on the 'sname' parameter and consider a WAF.
A public exploit exists, indicating a potential for active exploitation. Prompt mitigation is recommended.
Refer to the code-projects repository and associated security advisories for updates and information regarding CVE-2026-4577.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.