A cross-site scripting (XSS) vulnerability has been discovered in Code-Projects Online Student Management System version 1.0. This weakness resides within an unknown function of the /admin/announcement/index.php?view=add file within the Announcement Management Module. Successful exploitation could allow an attacker to inject malicious scripts, potentially compromising user sessions and data.
The XSS vulnerability allows an attacker to inject arbitrary JavaScript code into the web page viewed by other users. This can lead to various malicious actions, including stealing user credentials (session hijacking), redirecting users to phishing sites, or defacing the website. Given the location within the announcement management module, an attacker could potentially craft a malicious announcement that, when viewed by administrators or other users, triggers the XSS payload. The public availability of the exploit increases the risk of widespread exploitation.
The exploit for CVE-2026-2156 is publicly available, indicating a higher probability of exploitation. While the CVSS score is LOW (2.4), the ease of exploitation and potential impact warrant immediate attention. No KEV listing or active campaigns have been reported as of the publication date. The vulnerability was publicly disclosed on 2026-02-08.
Administrators and users of Code-Projects Online Student Management System version 1.0 are at risk. Shared hosting environments where multiple users share the same instance of the software are particularly vulnerable, as a compromised account could be used to inject malicious announcements affecting all users.
• generic web: Monitor access logs for suspicious requests to /admin/announcement/index.php?view=add containing unusual characters or patterns. Use curl to test the endpoint with various payloads and observe the response for signs of script execution.
curl -X POST -d "<script>alert('XSS')</script>" http://your-target/admin/announcement/index.php?view=add• php: Examine the source code of /admin/announcement/index.php for missing or inadequate input validation and output encoding functions. Search for instances where user-supplied data is directly inserted into HTML without proper sanitization.
disclosure
漏洞利用状态
EPSS
0.04% (11% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation is to upgrade to a patched version of Code-Projects Online Student Management System. Since a fixed version is not specified, immediate action is crucial. As a temporary workaround, implement strict input validation on all user-supplied data within the announcement management module, specifically the view=add endpoint. Employ robust output encoding to prevent injected scripts from being executed by the browser. Consider implementing a Web Application Firewall (WAF) with XSS protection rules to filter out malicious requests.
将 Online Student Management System 系统更新到 1.0 以上的版本,以修复公告管理模块中的跨站脚本 (Cross-Site Scripting, XSS) 漏洞。如果不存在可用版本,建议禁用或删除公告管理模块,直到发布解决方案。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-2156 is a cross-site scripting (XSS) vulnerability affecting Code-Projects Online Student Management System version 1.0, allowing attackers to inject malicious scripts.
If you are using Code-Projects Online Student Management System version 1.0, you are potentially affected by this vulnerability. Upgrade is the recommended solution.
Upgrade to a patched version of the software. As a temporary workaround, implement strict input validation and output encoding.
The exploit is publicly available, suggesting a potential for active exploitation. Monitor your systems for suspicious activity.
Refer to the Code-Projects website or security mailing lists for the official advisory regarding CVE-2026-2156.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。