PatchSiren cyber security CVE debrief
CVE-2026-9471 yashpokharna2555 CVE debrief
A stored cross-site scripting (XSS) vulnerability exists in the StudentManagementSystem project at commit cb2f558ddf8d19396de0f92abf2d224d46a0a203. The vulnerability resides in the /student.php file, where the FIRST_NAME parameter fails to properly sanitize user input, allowing injection of arbitrary web scripts. The attack vector is network-based, requires low privileges, and depends on user interaction. The CVSS 4.0 score of 2.0 reflects limited integrity impact with no confidentiality or availability impact. The project uses continuous delivery with rolling releases, meaning no discrete version numbers are available to identify affected or patched states. The vendor was notified via GitHub issue #4 prior to disclosure but has not responded. The exploit is publicly known.
- Vendor
- yashpokharna2555
- Product
- StudentManagementSystem
- CVSS
- LOW 2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-25
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-25
- Advisory updated
- 2026-05-26
Who should care
Organizations running StudentManagementSystem instances derived from the yashpokharna2555 repository, particularly those exposing student data entry interfaces to untrusted or semi-trusted users. Security teams in educational institutions using this or similar open-source student management platforms. Developers maintaining forks of this project should prioritize input sanitization patches.
Technical summary
The vulnerability is a stored cross-site scripting flaw in /student.php affecting the FIRST_NAME parameter. Input is not properly sanitized before rendering, permitting injection of executable scripts. Attack requires authenticated low-privilege access and victim interaction. No patch available; vendor notified but unresponsive. Rolling release model prevents version-based identification of affected instances.
Defensive priority
low
Recommended defensive actions
- Implement strict input validation and output encoding for the FIRST_NAME parameter in /student.php, applying context-appropriate sanitization (e.g., HTML entity encoding for browser-rendered output)
- Deploy Content Security Policy (CSP) headers to mitigate impact of any injected scripts
- Review and sanitize all user-controllable parameters in student-facing forms, not limited to FIRST_NAME
- Monitor repository for upstream commits addressing this issue given continuous delivery model
- Consider blocking or heavily restricting access to /student.php until patch available if threat model warrants
- resourceLinkAnnotations:ref-5,ref-4,ref-7
Evidence notes
Vulnerability identified in GitHub repository yashpokharna2555/StudentManagementSystem at specific commit cb2f558ddf8d19396de0f92abf2d224d46a0a203. Issue report filed at GitHub issue #4 with no vendor response. Vuldb submission 814002 and entry 365452 provide additional context. CVSS 4.0 vector confirms network attack vector, low attack complexity, low privileges required, and user interaction dependency. CWE-79 (XSS) and CWE-94 (code injection) classified as primary weaknesses.
Official resources
public