プラットフォーム
php
コンポーネント
public
修正版
1.0.1
CVE-2026-4474 describes a cross-site scripting (XSS) vulnerability discovered in itsourcecode University Management System, specifically affecting version 1.0. This flaw allows attackers to inject malicious scripts through manipulation of the 'stname' parameter within the /adminsinglestudentupdate.php file. A public exploit has been released, increasing the potential for exploitation. Mitigation strategies include upgrading the system and implementing web application firewall (WAF) rules.
Successful exploitation of CVE-2026-4474 allows an attacker to execute arbitrary JavaScript code in the context of a user's browser session on the University Management System. This can lead to various malicious actions, including session hijacking, credential theft, and defacement of the application. An attacker could potentially gain access to sensitive student data or administrative functionalities depending on the user's privileges. The published exploit significantly lowers the barrier to entry for attackers, increasing the risk of widespread exploitation.
CVE-2026-4474 has a LOW CVSS score of 2.4. A public proof-of-concept exploit is available, indicating a relatively high probability of exploitation. The vulnerability was disclosed on 2026-03-20. No KEV listing or confirmed exploitation campaigns are currently known.
Administrators and users of itsourcecode University Management System version 1.0 are at risk. Organizations relying on this system for student data management, particularly those with limited security resources or outdated configurations, are especially vulnerable. Shared hosting environments where multiple users share the same server instance are also at increased risk.
• php / web:
grep -r 'st_name' /var/www/html/itsourcecode/admin_single_student_update.php• generic web:
curl -I http://your-university-management-system/admin_single_student_update.php?st_name=<script>alert(1)</script>• generic web: Examine access logs for requests to /adminsinglestudentupdate.php containing suspicious characters or script tags in the 'stname' parameter.
disclosure
エクスプロイト状況
EPSS
0.03% (9% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-4474 is to upgrade to a patched version of itsourcecode University Management System. Since a fixed version is not specified, immediate action is critical. As a temporary workaround, implement strict input validation and sanitization on the 'stname' parameter within the /adminsinglestudentupdate.php file. Deploy a Web Application Firewall (WAF) with rules to detect and block XSS payloads targeting this specific endpoint. Monitor access logs for suspicious activity related to the /adminsinglestudent_update.php file.
大学管理システムをパッチ適用されたバージョンにアップデートしてください。修正されたバージョンを入手するためにベンダーに連絡するか、st_nameフィールドで悪意のあるスクリプトの実行を防ぐために必要なセキュリティ対策を講じてください。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-4474 is a cross-site scripting (XSS) vulnerability in itsourcecode University Management System version 1.0, allowing attackers to inject malicious scripts via the 'stname' parameter in /adminsinglestudentupdate.php.
If you are using itsourcecode University Management System version 1.0, you are potentially affected by this vulnerability. Upgrade as soon as possible.
Upgrade to a patched version of itsourcecode University Management System. If a patch is unavailable, implement input validation and WAF rules as temporary mitigations.
A public proof-of-concept exploit is available, suggesting a potential for active exploitation. Monitor your system closely.
Consult the itsourcecode website or relevant security mailing lists for the official advisory regarding CVE-2026-4474.