LOW 2.4

CVE-2026-10112: XSS in STUDENT-MANAGEMENT-SYSTEM 1.0 Dashboard

CVE-2026-10112 is a stored or reflected cross-site scripting (XSS) vulnerability in the Dashboard Page component of STUDENT-MANAGEMENT-SYSTEM version 1.0. An attacker with high privileges can inject malicious scripts through the Name parameter, which are then executed in the browsers of users who view the affected page. The vulnerability requires user interaction and has a low CVSS score of 2.4, but exploitation has already been disclosed publicly.

Source data · NVD / CISA · public domain

CVSS
3.1 · 2.4 LOW · CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N
Weaknesses (CWE)
CWE-79, CWE-94
Affected products
0 configuration(s)
Published / Modified
2026-05-30 / 2026-06-17

NVD description (verbatim)

A vulnerability has been found in sambitraj STUDENT-MANAGEMENT-SYSTEM 1.0. Affected is an unknown function of the component Dashboard Page. The manipulation of the argument Name leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

5 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

This vulnerability exists in the Dashboard Page of sambitraj's STUDENT-MANAGEMENT-SYSTEM 1.0, where insufficient input sanitization on the Name argument permits script injection. The attack vector is network-based with low complexity; however, exploitation requires high privilege access and user interaction (UI:R). The flaw maps to CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-94 (Improper Control of Generation of Code), indicating both XSS and potentially dangerous code generation patterns. Confidentiality impact is nil, integrity impact is low, and availability is unaffected.

Business impact

Organizations deploying STUDENT-MANAGEMENT-SYSTEM 1.0 face a limited but real risk of session hijacking, credential theft, or malware distribution if an authenticated high-privilege user is tricked into clicking a malicious link or visiting a crafted page. Since the attack requires both high privilege and user interaction, the practical exposure is constrained to administrative or staff accounts and scenarios where social engineering is effective. Educational institutions using this system should assess whether student or instructor data could be compromised through such attacks, though the low CVSS score suggests this is not a critical enterprise threat.

Affected systems

STUDENT-MANAGEMENT-SYSTEM version 1.0 by sambitraj is confirmed affected. No vendor product data or version ranges beyond 1.0 have been disclosed. Organizations should verify whether they operate this specific version; upgrades or migrations to patched releases should be prioritized if this system is internet-facing or handles sensitive education records.

Exploitability

The vulnerability is remotely exploitable but requires high privilege credentials and user interaction to succeed. Public disclosure of the exploit has occurred, lowering the barrier to weaponization for adversaries who gain administrative access or who can socially engineer a privileged user. The low privilege barrier and public exploit code mean that this is not a zero-day, and attackers may actively probe for unpatched instances.

Remediation

No patch has been released by the vendor as of the latest modification date (2026-06-17), despite early notification through an issue report. Organizations should contact sambitraj for patch availability or security updates. In the interim, apply network controls restricting Dashboard Page access to trusted networks, enforce strong authentication for administrative accounts, and conduct user awareness training to reduce social engineering risk.

Patch guidance

Verify the latest release from sambitraj's repository or official channels for a patched version addressing CVE-2026-10112. If a patch is not yet available, document the compensating controls implemented (network segmentation, access restrictions, or WAF rules) and maintain a remediation timeline. Request an explicit security patch release date from the vendor. Test any patch in a non-production environment before deployment to ensure compatibility with existing student and staff workflows.

Detection guidance

Monitor web server and application logs for suspicious Name parameter values containing script tags, event handlers (onerror, onload, onclick), or encoded payloads. Implement input validation rules that reject or sanitize Name fields containing HTML or JavaScript syntax. Deploy a Web Application Firewall (WAF) configured to block XSS patterns on the Dashboard Page endpoint. Log and alert on failed privilege escalation attempts or unusual administrative login activity that might precede an attack. Browser-based detection tools (Content Security Policy, XSS filters) can also mitigate reflected attacks if properly configured.

Why prioritize this

While CVSS 2.4 is low severity, this vulnerability merits attention because public exploit code exists and the attack path is straightforward for any authenticated high-privilege user. The lack of vendor response despite early notification suggests that patches may be delayed; thus, defensive controls and user awareness are critical in the near term. Educational institutions managing sensitive student data should treat this as a medium-priority remediation item due to reputational and compliance implications, even if technical severity is low.

Risk score, explained

The CVSS 3.1 score of 2.4 reflects the low technical impact (integrity only, no confidentiality or availability loss), the requirement for high privilege and user interaction, and the unchanged security context (S:U). However, the public disclosure and demonstrated exploitability elevate risk beyond the raw score; organizations should factor in their environment's attack surface, the sensitivity of student data, and the likelihood that social engineering could succeed against staff.

Frequently asked questions

Should we patch this immediately if we run STUDENT-MANAGEMENT-SYSTEM 1.0?

No patch is currently available from the vendor. Instead, focus on implementing compensating controls: restrict administrative access to trusted networks, enforce multi-factor authentication, monitor logs for XSS patterns, and educate staff not to click suspicious links or visit untrusted pages while logged in as an administrator. Re-check the vendor's repository regularly for patch availability.

Can this vulnerability lead to full system compromise?

No. The CVSS score and impact assessment show that integrity is minimally affected and confidentiality and availability are unaffected. Exploitation typically results in session hijacking, credential theft, or malware delivery to a single user's session, not system-wide compromise. However, if a high-privilege account is compromised, the attacker gains the privileges of that account.

How do we detect if someone has tried to exploit this?

Search application and web server logs for Name parameter values containing HTML or script syntax, event handler attributes, or encoded payloads. Set up alerts for Dashboard Page requests with suspicious parameter patterns. Monitor for unusual administrative logins or privilege escalations. A WAF with XSS rules can also log and block attempts.

Is this in the CISA KEV catalog?

No. This vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog, meaning there is no evidence of active exploitation in the wild at scale or ransomware campaigns exploiting it. However, public exploit code does exist, so vigilance is still warranted.

This analysis is provided for informational purposes and should not be construed as legal advice or a guarantee of security. Vulnerability details are based on publicly disclosed information as of the modification date. Vendors' security practices and patch timelines are subject to change. Organizations should independently verify patch availability, test thoroughly before production deployment, and consult vendor advisories and their own security teams for definitive remediation guidance. SEC.co assumes no liability for damages arising from this vulnerability or from reliance on this analysis. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).