EUVD-2026-31703
GHSA-4gg4-mpgv-4v2q
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A vulnerability was detected in yashpokharna2555 StudentManagementSystem cb2f558ddf8d19396de0f92abf2d224d46a0a203. This impacts an unknown function of the file /student.php. Performing a manipulation of the argument FIRST_NAME results in cross site scripting. The attack can be initiated remotely. The exploit is now public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.
AnalysisAI
Cross-site scripting in yashpokharna2555's StudentManagementSystem (PHP) allows authenticated remote attackers to inject malicious client-side scripts via the FIRST_NAME parameter in /student.php, executing in victim browsers upon record viewing. The CVSS 4.0 score of 2.0 (Low) reflects the requirement for prior authentication (PR:L) and user interaction (UI:P), significantly constraining real-world impact. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold an authenticated session with at least low-privilege access to the application (CVSS PR:L); unauthenticated exploitation is not supported by the available data. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The aggregate risk picture here is low-to-negligible for most organizations. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated attacker with low-privilege access to the StudentManagementSystem submits a crafted FIRST_NAME value such as a script tag containing malicious JavaScript through the /student.php endpoint. When an administrative user or another authenticated user subsequently views the student record, the injected payload executes within their browser session, potentially enabling session token theft, credential harvesting via fake login overlays, or unauthorized actions performed under the victim's identity. … |
| Remediation | No vendor-released patch has been identified at time of analysis; the maintainer has not responded to the responsible disclosure filed at https://github.com/yashpokharna2555/StudentManagementSystem/issues/4. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today