PatchSiren cyber security CVE debrief

CVE-2026-10228 raisulislamg4 CVE debrief

A stored cross-site scripting (XSS) vulnerability exists in the student_management_system_by_php repository maintained by raisulislamg4. The flaw resides in the admission_form_check.php file, where the Message parameter fails to properly sanitize user input, allowing injection of arbitrary web scripts. The vulnerability is remotely exploitable and requires low privileges with user interaction. The project uses a rolling release model, so specific version boundaries are unavailable; the last known affected commit is 310d950e09013d5133c6b9210aff9444382d16d1. The maintainer was notified via a GitHub issue but has not responded. A public exploit has been disclosed, increasing the likelihood of active exploitation.

Vendor: raisulislamg4
Product: student_management_system_by_php
CVSS: LOW 2
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-06-01
Original CVE updated: 2026-06-01
Advisory published: 2026-06-01
Advisory updated: 2026-06-01

Who should care

Organizations or individuals running instances of this student management system for production or educational purposes; security teams monitoring for public XSS exploits in PHP-based academic software; developers evaluating open-source student information systems for adoption.

Technical summary

The admission_form_check.php file in raisulislamg4/student_management_system_by_php accepts a Message parameter without adequate sanitization, enabling attackers to inject malicious scripts that execute in victims' browsers. The vulnerability is classified as stored XSS with a LOW severity CVSS score of 2.0. Exploitation requires network access, low privileges, and user interaction. The project operates on a rolling release with no patched version available; the maintainer has not responded to responsible disclosure.

Defensive priority

low

Recommended defensive actions

Implement strict input validation and output encoding for the Message parameter in admission_form_check.php, applying context-appropriate sanitization such as HTML entity encoding before rendering user-supplied data in a
Apply Content Security Policy (CSP) headers to restrict execution of inline scripts and mitigate impact of any residual XSS vectors in the application
Monitor the GitHub issue tracker for maintainer response or community-provided patches, and consider forking or applying local mitigations if the project remains unresponsive
Review additional form handlers in the codebase for similar insufficient input sanitization patterns, particularly in files handling user-submitted messages or comments
Deploy web application firewall (WAF) rules to detect and block common XSS payloads targeting the admission_form_check.php endpoint until a patch is available

Evidence notes

The vulnerability was reported through VulDB (submit ID 822848, vuln ID 367507) and is tracked as GitHub issue #5 in the affected repository. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, and user interaction required, with partial integrity impact. CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-94 (Improper Control of Generation of Code) are identified as relevant weakness classifications.

Official resources

2026-06-01