Plateforme
php
Composant
exam-form-submission
Corrigé dans
1.0.1
CVE-2026-4595 is a cross-site scripting (XSS) vulnerability identified in Exam Form Submission version 1.0. This flaw allows an attacker to inject malicious scripts into the application, potentially compromising user data and session integrity. The vulnerability resides within the /admin/update_s6.php file and is triggered by manipulating the 'sname' argument. While the CVSS score is LOW, public disclosure means exploitation is possible.
Successful exploitation of CVE-2026-4595 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious actions, including session hijacking, defacement of the application's administrative interface, and theft of sensitive information such as user credentials or exam data. The remote nature of the vulnerability means an attacker does not need to be on the same network as the application to exploit it. Given the publicly disclosed nature of the exploit, it is likely that automated scanning tools are already attempting to identify and exploit vulnerable instances.
CVE-2026-4595 has been publicly disclosed, indicating a higher probability of exploitation. The vulnerability is present in Exam Form Submission 1.0 and is accessible remotely. The availability of a public exploit increases the risk of automated attacks. No KEV listing or EPSS score is currently available.
Administrators of Exam Form Submission 1.0 installations are at immediate risk. Shared hosting environments where multiple users share the same server instance are particularly vulnerable, as an attacker could potentially compromise other users' accounts through this XSS vulnerability. Users relying on Exam Form Submission for sensitive data collection or exam administration should prioritize mitigation.
• php / server:
grep -r 'sname' /admin/update_s6.php | grep -i '<script'• generic web:
curl -I http://your-exam-form-submission-url.com/admin/update_s6.php?sname=<script>alert(1)</script>• generic web: Examine access logs for requests to /admin/update_s6.php containing suspicious characters in the 'sname' parameter (e.g., <script>, <!--, javascript:).
disclosure
Statut de l'Exploit
EPSS
0.03% (percentile 9%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-4595 is to upgrade to a patched version of Exam Form Submission. Since a fixed version is not specified, thorough testing of any upgrade is crucial to avoid introducing new issues. As a temporary workaround, implement strict input validation and sanitization on the 'sname' parameter within /admin/updates6.php. This should include escaping any potentially malicious characters. Consider implementing a Web Application Firewall (WAF) with rules to detect and block XSS attempts targeting this specific endpoint. Regularly review access logs for suspicious activity related to /admin/updates6.php.
Mettez à jour le plugin Exam Form Submission à la dernière version disponible pour atténuer la vulnérabilité XSS. Vérifiez les sources officielles du plugin pour obtenir des instructions de mise à jour et des correctifs de sécurité. Implémentez des mesures de validation et d'échappement des entrées pour prévenir de futures attaques XSS.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-4595 is a cross-site scripting vulnerability in Exam Form Submission version 1.0, affecting the /admin/update_s6.php file. It allows attackers to inject malicious scripts via the 'sname' parameter.
If you are using Exam Form Submission version 1.0, you are potentially affected. Upgrade to a patched version as soon as possible.
Upgrade to a patched version of Exam Form Submission. If upgrading is not immediately possible, implement strict input validation and sanitization on the 'sname' parameter and consider using a WAF.
Due to the public disclosure of the exploit, it is likely that CVE-2026-4595 is being actively exploited or targeted by automated scanning tools.
Refer to the code-projects website or relevant security mailing lists for the official advisory regarding CVE-2026-4595.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.