CVE-2026-10112: XSS in STUDENT-MANAGEMENT-SYSTEM 1.0 Dashboard
CVE-2026-10112 is a stored or reflected cross-site scripting (XSS) vulnerability in the Dashboard Page component of STUDENT-MANAGEMENT-SYSTEM version 1.0. An attacker with high privileges can inject malicious scripts through the Name parameter, which are then executed in the browsers of users who view the affected page. The vulnerability requires user interaction and has a low CVSS score of 2.4, but exploitation has already been disclosed publicly.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 2.4 LOW · CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N
- Weaknesses (CWE)
- CWE-79, CWE-94
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-30 / 2026-06-17
NVD description (verbatim)
A vulnerability has been found in sambitraj STUDENT-MANAGEMENT-SYSTEM 1.0. Affected is an unknown function of the component Dashboard Page. The manipulation of the argument Name leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
5 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
This vulnerability exists in the Dashboard Page of sambitraj's STUDENT-MANAGEMENT-SYSTEM 1.0, where insufficient input sanitization on the Name argument permits script injection. The attack vector is network-based with low complexity; however, exploitation requires high privilege access and user interaction (UI:R). The flaw maps to CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-94 (Improper Control of Generation of Code), indicating both XSS and potentially dangerous code generation patterns. Confidentiality impact is nil, integrity impact is low, and availability is unaffected.
Business impact
Organizations deploying STUDENT-MANAGEMENT-SYSTEM 1.0 face a limited but real risk of session hijacking, credential theft, or malware distribution if an authenticated high-privilege user is tricked into clicking a malicious link or visiting a crafted page. Since the attack requires both high privilege and user interaction, the practical exposure is constrained to administrative or staff accounts and scenarios where social engineering is effective. Educational institutions using this system should assess whether student or instructor data could be compromised through such attacks, though the low CVSS score suggests this is not a critical enterprise threat.
Affected systems
STUDENT-MANAGEMENT-SYSTEM version 1.0 by sambitraj is confirmed affected. No vendor product data or version ranges beyond 1.0 have been disclosed. Organizations should verify whether they operate this specific version; upgrades or migrations to patched releases should be prioritized if this system is internet-facing or handles sensitive education records.
Exploitability
The vulnerability is remotely exploitable but requires high privilege credentials and user interaction to succeed. Public disclosure of the exploit has occurred, lowering the barrier to weaponization for adversaries who gain administrative access or who can socially engineer a privileged user. The low privilege barrier and public exploit code mean that this is not a zero-day, and attackers may actively probe for unpatched instances.
Remediation
No patch has been released by the vendor as of the latest modification date (2026-06-17), despite early notification through an issue report. Organizations should contact sambitraj for patch availability or security updates. In the interim, apply network controls restricting Dashboard Page access to trusted networks, enforce strong authentication for administrative accounts, and conduct user awareness training to reduce social engineering risk.
Patch guidance
Verify the latest release from sambitraj's repository or official channels for a patched version addressing CVE-2026-10112. If a patch is not yet available, document the compensating controls implemented (network segmentation, access restrictions, or WAF rules) and maintain a remediation timeline. Request an explicit security patch release date from the vendor. Test any patch in a non-production environment before deployment to ensure compatibility with existing student and staff workflows.
Detection guidance
Monitor web server and application logs for suspicious Name parameter values containing script tags, event handlers (onerror, onload, onclick), or encoded payloads. Implement input validation rules that reject or sanitize Name fields containing HTML or JavaScript syntax. Deploy a Web Application Firewall (WAF) configured to block XSS patterns on the Dashboard Page endpoint. Log and alert on failed privilege escalation attempts or unusual administrative login activity that might precede an attack. Browser-based detection tools (Content Security Policy, XSS filters) can also mitigate reflected attacks if properly configured.
Why prioritize this
While CVSS 2.4 is low severity, this vulnerability merits attention because public exploit code exists and the attack path is straightforward for any authenticated high-privilege user. The lack of vendor response despite early notification suggests that patches may be delayed; thus, defensive controls and user awareness are critical in the near term. Educational institutions managing sensitive student data should treat this as a medium-priority remediation item due to reputational and compliance implications, even if technical severity is low.
Risk score, explained
The CVSS 3.1 score of 2.4 reflects the low technical impact (integrity only, no confidentiality or availability loss), the requirement for high privilege and user interaction, and the unchanged security context (S:U). However, the public disclosure and demonstrated exploitability elevate risk beyond the raw score; organizations should factor in their environment's attack surface, the sensitivity of student data, and the likelihood that social engineering could succeed against staff.
Frequently asked questions
Should we patch this immediately if we run STUDENT-MANAGEMENT-SYSTEM 1.0?
No patch is currently available from the vendor. Instead, focus on implementing compensating controls: restrict administrative access to trusted networks, enforce multi-factor authentication, monitor logs for XSS patterns, and educate staff not to click suspicious links or visit untrusted pages while logged in as an administrator. Re-check the vendor's repository regularly for patch availability.
Can this vulnerability lead to full system compromise?
No. The CVSS score and impact assessment show that integrity is minimally affected and confidentiality and availability are unaffected. Exploitation typically results in session hijacking, credential theft, or malware delivery to a single user's session, not system-wide compromise. However, if a high-privilege account is compromised, the attacker gains the privileges of that account.
How do we detect if someone has tried to exploit this?
Search application and web server logs for Name parameter values containing HTML or script syntax, event handler attributes, or encoded payloads. Set up alerts for Dashboard Page requests with suspicious parameter patterns. Monitor for unusual administrative logins or privilege escalations. A WAF with XSS rules can also log and block attempts.
Is this in the CISA KEV catalog?
No. This vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog, meaning there is no evidence of active exploitation in the wild at scale or ransomware campaigns exploiting it. However, public exploit code does exist, so vigilance is still warranted.
This analysis is provided for informational purposes and should not be construed as legal advice or a guarantee of security. Vulnerability details are based on publicly disclosed information as of the modification date. Vendors' security practices and patch timelines are subject to change. Organizations should independently verify patch availability, test thoroughly before production deployment, and consult vendor advisories and their own security teams for definitive remediation guidance. SEC.co assumes no liability for damages arising from this vulnerability or from reliance on this analysis. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10228LOWXSS Vulnerability in raisulislamg4 Student Management System
- CVE-2026-10234LOWMettle Sendportal XSS Vulnerability – Campaign Handler Remote Exploit
- CVE-2026-10244LOWSourceCodester Pharmacy Sales and Inventory System XSS Vulnerability
- CVE-2026-10245LOWStored XSS in SourceCodester Pharmacy Sales and Inventory System 1.0
- CVE-2026-10246LOWStored XSS in SourceCodester Pharmacy System 1.0 – Remediation Guide
- CVE-2026-10247LOWXSS in SourceCodester Pharmacy Sales System 1.0
- CVE-2026-10514LOWCordysCRM Cross-Site Scripting (XSS) Vulnerability – Patch to 1.7.0
- CVE-2026-10529LOWwestboy CicadasCMS XSS in Task Scheduling Module