1.0.1
A cross-site scripting (XSS) vulnerability has been identified in Exam Form Submission version 1.0. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user sessions and data integrity. The vulnerability resides within the /admin/update_s1.php file, specifically related to the handling of the 'sname' argument. A fix is available.
Successful exploitation of CVE-2026-4557 allows an attacker to execute arbitrary JavaScript code in the context of a user's browser. This can lead to session hijacking, defacement of the application, or the theft of sensitive information, such as login credentials or personal data. Given the location of the vulnerable file (/admin/update_s1.php), an attacker who gains access to the administrative interface could potentially compromise the entire application and its underlying data. The public availability of an exploit significantly increases the risk of widespread exploitation.
This vulnerability is considered actively exploitable due to the public availability of a proof-of-concept. It was disclosed on 2026-03-22. While no specific threat actors have been linked to exploitation, the ease of exploitation makes it a potential target for opportunistic attackers. The vulnerability is not currently listed on CISA KEV.
Administrators and users of Exam Form Submission version 1.0 are at risk. Shared hosting environments where multiple applications share the same server are particularly vulnerable, as a compromise of one application could potentially lead to the compromise of others. Users who rely on the application for sensitive data management are also at heightened risk.
• php / web:
grep -r "sname = [^\"].*?" /var/www/exam_form_submission/• generic web:
curl -I http://your-exam-form-submission-site.com/admin/update_s1.php?sname=<script>alert(1)</script>disclosure
漏洞利用状态
EPSS
0.03% (10% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-4557 is to upgrade to the patched version of Exam Form Submission. If an immediate upgrade is not feasible, implement a Web Application Firewall (WAF) rule to filter out malicious input containing script tags or other XSS payloads targeting the 'sname' parameter in /admin/update_s1.php. Input validation and sanitization on the server-side are also crucial to prevent the injection of malicious code. Consider implementing Content Security Policy (CSP) to restrict the sources from which scripts can be executed.
将 Exam Form Submission 应用程序更新到已修复跨站脚本 (XSS) 漏洞的补丁版本。或者,手动修补 /admin/update_s1.php 文件,在页面上显示 'sname' 参数的用户输入之前,对其进行正确验证和转义。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-4557 is a cross-site scripting (XSS) vulnerability in Exam Form Submission version 1.0, allowing attackers to inject malicious scripts via the 'sname' parameter in /admin/update_s1.php.
If you are using Exam Form Submission version 1.0, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as possible.
Upgrade to the latest patched version of Exam Form Submission. If upgrading is not immediately possible, implement WAF rules to filter malicious input and sanitize server-side input.
Yes, a public exploit is available, indicating a high probability of active exploitation.
Refer to the official Exam Form Submission project website or repository for the latest security advisories and updates.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。