CVE-2026-11534: XSS Vulnerability in imvks786 Student Management System – Impacts Authenticated Users
A cross-site scripting (XSS) vulnerability exists in imvks786's student_management_system application. The flaw allows attackers to inject malicious scripts through the name, address, or fname parameters in the /add.php file. An attacker with authenticated access can craft a malicious request that, when clicked by another user, executes arbitrary JavaScript in that user's browser. The vulnerability is publicly known, and the development team has been notified but has not yet responded with a patch.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 3.5 LOW · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
- Weaknesses (CWE)
- CWE-79, CWE-94
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-08 / 2026-06-17
NVD description (verbatim)
A vulnerability was detected in imvks786 student_management_system up to 9599b560ad3c3b83e75d328b76bedcd489ef1f46. Affected by this issue is some unknown functionality of the file /add.php. The manipulation of the argument name/address/fname results in cross site scripting. It is possible to launch the attack remotely. The exploit is now public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11534 is a stored or reflected XSS vulnerability (CWE-79) in imvks786 student_management_system affecting the /add.php endpoint. The vulnerability arises from insufficient input validation and output encoding of the name, address, and fname parameters. The application likely reflects user-supplied input directly into HTML responses or stores it without sanitization. The CVSS v3.1 score of 3.5 (LOW severity) reflects the requirement for authenticated access and user interaction to trigger the payload, limiting the attack scope to a single user's context. Code review and dynamic testing of parameter handling in the add.php form submission would confirm the exact injection point and whether the vulnerability is stored or reflected.
Business impact
The immediate risk is limited by the need for an authenticated account, yet the vulnerability could be exploited by internal users or attackers who have compromised legitimate credentials. Potential impacts include session hijacking, theft of sensitive student or institutional data, credential theft, defacement of the student management interface, and malware distribution to other users within the institution. Organizations relying on this system for student records face reputational harm and potential regulatory exposure if personal data is exfiltrated. The lack of vendor response increases the window of exposure.
Affected systems
imvks786 student_management_system is affected up to commit 9599b560ad3c3b83e75d328b76bedcd489ef1f46. The project uses rolling releases without versioned snapshots, making it difficult to definitively identify which deployments are vulnerable. Any organization running this open-source application should assume it is affected unless they have applied a fix from a later commit post-disclosure (2026-06-08 publication date).
Exploitability
Exploitation requires authentication and user interaction—specifically, tricking a user into clicking a malicious link containing the XSS payload. The attack surface is the /add.php form, and the vector is network-accessible (AV:N). The low complexity (AC:L) means an attacker does not need specialized tools or knowledge. While the barrier to entry is modest for an insider with credentials, broader exploitation requires social engineering. The vulnerability is now public, and exploit code may exist, though this increases detection risk.
Remediation
Immediate actions: (1) Restrict access to /add.php to trusted networks or require additional authentication such as multi-factor authentication; (2) enable Content Security Policy (CSP) headers to mitigate XSS payload execution; (3) audit all form inputs (name, address, fname) for encoded malicious content in the database. Long-term: (1) apply a patch when the vendor releases one or upgrade to a commit dated after 2026-06-08; (2) conduct code review of /add.php and similar forms to implement input validation, output encoding, and parameterized queries; (3) consider using a templating engine that auto-escapes by default. Until a fix is available, monitor the project repository for updates or consider forking and patching internally.
Patch guidance
The vendor has not yet released a patch. Monitor the imvks786 student_management_system repository and issue tracker for updates. Patch availability depends on vendor responsiveness; as of the modification date (2026-06-17), no fix had been published. Organizations should test and deploy patches immediately upon release. Verify patches against the vendor's official advisory and apply to all instances of the application in development, staging, and production environments.
Detection guidance
Monitor web server logs for requests to /add.php containing unusual characters in the name, address, or fname parameters, such as <script>, javascript:, onerror=, onclick=, and other HTML/JavaScript syntax. Use a Web Application Firewall (WAF) to block requests with XSS payloads. Implement logging of form submissions and compare values before and after database storage to detect if payloads are being persisted. Search the student_management_system database for stored XSS patterns in records with name, address, or fname fields. Endpoint detection tools should flag process execution initiated by browser instances running student_management_system.
Why prioritize this
Although the CVSS score is LOW (3.5), the combination of public exploit availability, lack of vendor response, and the sensitive nature of student data warrants elevated attention. Prioritization should be based on: (1) whether the application handles personally identifiable information (PII) protected by FERPA, GDPR, or similar regulations; (2) whether the affected organization is an educational institution; (3) ease of credential compromise within the environment. For educational institutions, this should be treated as medium priority despite the low CVSS score due to regulatory and data protection obligations.
Risk score, explained
The CVSS v3.1 score of 3.5 reflects a low severity vulnerability constrained by the requirement for authentication (PR:L) and user interaction (UI:R), coupled with no direct confidentiality impact (C:N) and minimal integrity impact to the single user's session (I:L) with no availability impact (A:N). However, this score does not fully capture organizational risk: the vulnerability affects student records, remediation is pending, the exploit is public, and the vendor is unresponsive. Security leaders should supplement the base CVSS score with threat intelligence and organizational context before determining deployment priority.
Frequently asked questions
Does this vulnerability allow unauthenticated access?
No. The vulnerability requires an authenticated user account to access /add.php. However, if an attacker compromises valid credentials or works internally, they can exploit it. The requirement for user interaction means the attacker must trick another user into clicking a malicious link.
What is the difference between rolling releases and versioned releases, and why does it matter here?
Rolling releases are continuously updated without discrete version numbers. Versioned releases have snapshots (e.g., v1.2.3). The vendor's rolling model means there is no clear 'affected version'—affected instances are those running the code up to commit 9599b560ad3c3b83e75d328b76bedcd489ef1f46. Organizations cannot rely on version numbers to determine if they are vulnerable; they must check their specific commit hash.
Has the vendor released a patch?
As of 2026-06-17 (the last modification date in this record), no patch had been released. The vendor was notified early but has not yet responded. Organizations should monitor the project repository for updates or consider implementing compensating controls (WAF rules, CSP headers) until a patch is available.
Can this vulnerability be exploited if our student_management_system instance is only accessible on an internal network?
Network isolation reduces risk but does not eliminate it. Insider threats, compromised credentials, or VPN access could still allow exploitation. Additionally, if any user with internal access is tricked into clicking a malicious link, their session could be compromised. Compensating controls and prompt patching remain essential.
This analysis is provided for informational purposes and reflects the state of CVE-2026-11534 as of the publication and modification dates shown. CVSS scores and severity ratings are derived from the Common Vulnerability Scoring System v3.1 and represent technical characteristics only; they do not constitute a complete risk assessment for any specific organization. Security leaders should supplement this intelligence with internal threat modeling, asset inventory, and incident response readiness. Patch availability and timelines are subject to vendor discretion and may change. Organizations are responsible for verifying patch applicability and conducting testing in non-production environments before deployment. This analysis does not constitute legal, compliance, or medical advice and should be reviewed by qualified security and legal professionals within your organization. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10112LOWXSS in STUDENT-MANAGEMENT-SYSTEM 1.0 Dashboard
- CVE-2026-10228LOWXSS Vulnerability in raisulislamg4 Student Management System
- CVE-2026-10234LOWMettle Sendportal XSS Vulnerability – Campaign Handler Remote Exploit
- CVE-2026-10244LOWSourceCodester Pharmacy Sales and Inventory System XSS Vulnerability
- CVE-2026-10245LOWStored XSS in SourceCodester Pharmacy Sales and Inventory System 1.0
- CVE-2026-10246LOWStored XSS in SourceCodester Pharmacy System 1.0 – Remediation Guide
- CVE-2026-10247LOWXSS in SourceCodester Pharmacy Sales System 1.0
- CVE-2026-10514LOWCordysCRM Cross-Site Scripting (XSS) Vulnerability – Patch to 1.7.0