平台
php
组件
exam-form-submission
修复版本
1.0.1
CVE-2026-4595 is a cross-site scripting (XSS) vulnerability identified in Exam Form Submission version 1.0. This flaw allows an attacker to inject malicious scripts into the application, potentially compromising user data and session integrity. The vulnerability resides within the /admin/update_s6.php file and is triggered by manipulating the 'sname' argument. While the CVSS score is LOW, public disclosure means exploitation is possible.
Successful exploitation of CVE-2026-4595 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious actions, including session hijacking, defacement of the application's administrative interface, and theft of sensitive information such as user credentials or exam data. The remote nature of the vulnerability means an attacker does not need to be on the same network as the application to exploit it. Given the publicly disclosed nature of the exploit, it is likely that automated scanning tools are already attempting to identify and exploit vulnerable instances.
CVE-2026-4595 has been publicly disclosed, indicating a higher probability of exploitation. The vulnerability is present in Exam Form Submission 1.0 and is accessible remotely. The availability of a public exploit increases the risk of automated attacks. No KEV listing or EPSS score is currently available.
Administrators of Exam Form Submission 1.0 installations are at immediate risk. Shared hosting environments where multiple users share the same server instance are particularly vulnerable, as an attacker could potentially compromise other users' accounts through this XSS vulnerability. Users relying on Exam Form Submission for sensitive data collection or exam administration should prioritize mitigation.
• php / server:
grep -r 'sname' /admin/update_s6.php | grep -i '<script'• generic web:
curl -I http://your-exam-form-submission-url.com/admin/update_s6.php?sname=<script>alert(1)</script>• generic web: Examine access logs for requests to /admin/update_s6.php containing suspicious characters in the 'sname' parameter (e.g., <script>, <!--, javascript:).
disclosure
漏洞利用状态
EPSS
0.03% (9% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-4595 is to upgrade to a patched version of Exam Form Submission. Since a fixed version is not specified, thorough testing of any upgrade is crucial to avoid introducing new issues. As a temporary workaround, implement strict input validation and sanitization on the 'sname' parameter within /admin/updates6.php. This should include escaping any potentially malicious characters. Consider implementing a Web Application Firewall (WAF) with rules to detect and block XSS attempts targeting this specific endpoint. Regularly review access logs for suspicious activity related to /admin/updates6.php.
将 Exam Form Submission 插件更新到最新可用版本以缓解 XSS 漏洞。请查阅插件的官方来源以获取更新说明和安全补丁。实施输入验证和转义措施以防止未来的 XSS 攻击。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-4595 is a cross-site scripting vulnerability in Exam Form Submission version 1.0, affecting the /admin/update_s6.php file. It allows attackers to inject malicious scripts via the 'sname' parameter.
If you are using Exam Form Submission version 1.0, you are potentially affected. Upgrade to a patched version as soon as possible.
Upgrade to a patched version of Exam Form Submission. If upgrading is not immediately possible, implement strict input validation and sanitization on the 'sname' parameter and consider using a WAF.
Due to the public disclosure of the exploit, it is likely that CVE-2026-4595 is being actively exploited or targeted by automated scanning tools.
Refer to the code-projects website or relevant security mailing lists for the official advisory regarding CVE-2026-4595.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。