CVE-2026-4578 describes a cross-site scripting (XSS) vulnerability discovered in code-projects Exam Form Submission version 1.0. This flaw allows an attacker to inject malicious scripts into the application, potentially compromising user sessions and data. The vulnerability resides within the /admin/update_s3.php file, specifically in an unknown function. The vulnerability was publicly disclosed on 2026-03-23.
Successful exploitation of CVE-2026-4578 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser. This can lead to various malicious outcomes, including session hijacking, defacement of the application, and theft of sensitive information such as user credentials or personal data. The attacker can leverage this vulnerability to gain unauthorized access to administrative functions if the user has sufficient privileges. The remote nature of the vulnerability means it can be exploited from anywhere with network access to the affected application.
CVE-2026-4578 has been publicly disclosed, indicating a higher likelihood of exploitation. The availability of a public description suggests that proof-of-concept (PoC) code may exist or be developed. The vulnerability's LOW CVSS score suggests a relatively low attack complexity, potentially increasing the risk of automated exploitation attempts. No KEV listing or active exploitation campaigns are currently known.
Administrators and users with access to the /admin/update_s3.php endpoint are at risk. Shared hosting environments where multiple applications share the same server are particularly vulnerable, as a compromise of one application could potentially lead to the compromise of others. Legacy configurations with outdated security practices are also at increased risk.
• php / web: Examine access logs for requests to /admin/update_s3.php with unusual or suspicious values in the 'sname' parameter. Look for patterns indicative of XSS payloads (e.g., <script> tags, event handlers).
• generic web: Use curl to test the /admin/update_s3.php endpoint with a simple XSS payload (e.g., <script>alert(1)</script>). Check the response for the alert box.
curl -X POST -d "sname=<script>alert(1)</script>" http://your-exam-form-submission-server/admin/update_s3.phpdisclosure
漏洞利用状态
EPSS
0.03% (9% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-4578 is to upgrade to a patched version of Exam Form Submission. Since a fixed version is not specified, thoroughly review the code in /admin/update_s3.php for improper input sanitization. Implement strict input validation and output encoding on the 'sname' parameter to prevent malicious script injection. Consider using a Web Application Firewall (WAF) with XSS protection rules to filter out potentially malicious requests. Regularly scan the application for vulnerabilities using automated security tools.
将 Exam Form Submission 软件更新到已修复跨站脚本 (XSS) 漏洞的补丁版本。如果不可用,请清理用户输入,特别是文件 /admin/update_s3.php 中 'sname' 参数,以防止恶意代码注入。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-4578 is a cross-site scripting (XSS) vulnerability in Exam Form Submission 1.0, allowing attackers to inject malicious scripts via the /admin/update_s3.php file's 'sname' parameter.
If you are using Exam Form Submission version 1.0, you are potentially affected by this vulnerability. Review your code and implement mitigations.
Upgrade to a patched version of Exam Form Submission is the recommended fix. If a patch is unavailable, implement strict input validation and output encoding on the 'sname' parameter.
While no active exploitation campaigns are currently known, the vulnerability is publicly disclosed, increasing the risk of exploitation.
Refer to the code-projects website or relevant security mailing lists for the official advisory regarding CVE-2026-4578.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。