Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A vulnerability was detected in QDOCS Smart School Management System up to 7.2. The impacted element is an unknown function of the file /admin/enquiry of the component Admission Enquiry Module. Performing a manipulation of the argument Note results in cross site scripting. The attack is possible to be carried out remotely.
AnalysisAI
Cross-site scripting (XSS) in QDOCS Smart School Management System up to version 7.2 allows authenticated remote attackers to inject malicious scripts via the Note parameter in the /admin/enquiry endpoint of the Admission Enquiry Module, potentially compromising session integrity and user data. The vulnerability requires user interaction (UI:P) and authenticated access (PR:L), resulting in a CVSS 5.1 score with low integrity impact. No public exploit code or active exploitation has been confirmed at the time of this analysis.
Technical ContextAI
The vulnerability is a reflected or stored cross-site scripting (XSS) flaw classified under CWE-79, stemming from insufficient input validation and output encoding in the Admission Enquiry Module's Note field handler. The affected application is QDOCS Smart School Management System, an educational institution management platform. The flaw exists in the /admin/enquiry administrative endpoint, where user-supplied input via the Note parameter is processed without proper sanitization before being rendered in subsequent HTTP responses. An authenticated user with limited privileges can exploit this by crafting malicious JavaScript payloads within the Note argument, which are then executed in the browsers of users who view the admission enquiry record, particularly administrative users who likely have elevated access within the system.
RemediationAI
The primary remediation is to upgrade QDOCS Smart School Management System to a version newer than 7.2 once available from the vendor. Pending a patched release, administrators should implement input validation and output encoding controls on the Note parameter by restricting character sets to non-script-bearing content, implementing Content Security Policy (CSP) headers to restrict inline script execution, and ensuring that all user input is properly HTML-encoded before rendering in administrative dashboards. Restrict access to the /admin/enquiry endpoint via network-level controls (IP whitelisting, VPN requirements) to limit exposure to authenticated users. Monitor for any indicators of XSS exploitation, including unusual JavaScript injection attempts in admission enquiry records and anomalous user session activity. For additional context and vendor advisories, refer to VulDB references: https://vuldb.com/?id.353878 and https://vuldb.com/?ctiid.353878.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16897
GHSA-m3vr-rg3v-c5r5