PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-10112 sambitraj CVE debrief

A stored or reflected cross-site scripting (XSS) vulnerability exists in the STUDENT-MANAGEMENT-SYSTEM project version 1.0 by sambitraj. The flaw resides in an unspecified function on the Dashboard Page, where the Name parameter is not properly sanitized before being rendered in the browser. An attacker with high privileges (PR:H) can inject malicious scripts and trigger them in a victim's browser, potentially leading to session hijacking, defacement, or phishing. The attack vector is network-based (AV:N), requires low attack complexity (AC:L), and needs user interaction (UI:P). The vulnerability has been publicly disclosed via a GitHub issue and Vuldb, but the vendor has not responded to the initial report. The CVSS 4.0 score of 1.9 reflects limited integrity impact (VI:L) with no confidentiality or availability impact, and the exploit is publicly known (E:P).

Vendor
sambitraj
Product
STUDENT-MANAGEMENT-SYSTEM
CVSS
LOW 1.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-30
Original CVE updated
2026-05-30
Advisory published
2026-05-30
Advisory updated
2026-05-30

Who should care

Organizations running instances of sambitraj's STUDENT-MANAGEMENT-SYSTEM version 1.0, particularly those with multi-user dashboard access. Security teams monitoring for unpatched open-source education management systems. Developers maintaining forked versions of this project.

Technical summary

The vulnerability is a cross-site scripting flaw in the Dashboard Page of STUDENT-MANAGEMENT-SYSTEM 1.0. The Name parameter accepts unsanitized input that is rendered without proper output encoding, allowing script injection. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P) indicates network attack vector, low complexity, no attack prerequisites, high privileges required, user interaction needed, limited integrity impact, and public exploit availability. The weakness classifications are CWE-79 and CWE-94.

Defensive priority

LOW

Recommended defensive actions

  • Apply input validation and output encoding for the Name parameter on the Dashboard Page using context-appropriate sanitization (e.g., HTML entity encoding for rendered content)
  • Implement Content Security Policy (CSP) headers to mitigate the impact of any injected scripts
  • Review and sanitize all user-controllable inputs across the application for similar XSS patterns
  • Monitor the vendor's GitHub repository for any security patches or responses to issue #3
  • Consider temporarily restricting access to the Dashboard Page or implementing additional authentication controls if immediate patching is not feasible

Evidence notes

The vulnerability is documented in the NVD with Vuldb as the CNA. The CVSS 4.0 vector indicates high privileges required (PR:H) and user interaction (UI:P), limiting the attack surface to authenticated administrative or privileged users. The weakness enumerations include CWE-79 (Cross-site Scripting) and CWE-94 (Code Injection). The GitHub repository and issue tracker confirm the project location and the unaddressed report.

Official resources

Public disclosure occurred on 2026-05-30. The researcher reported the issue through a GitHub issue (issue #3) prior to public disclosure, but the vendor has not responded. The exploit details are publicly available through Vuldb.