{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5644", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-05T20:36:14.383Z", "datePublished": "2026-04-06T10:00:18.668Z", "dateUpdated": "2026-04-07T03:05:43.892Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-06T10:00:18.668Z"}, "title": "Cyber-III Student-Management-System batch-notice.php cross site scripting", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "Cross Site Scripting"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "Code Injection"}]}], "affected": [{"vendor": "Cyber-III", "product": "Student-Management-System", "versions": [{"version": "1a938fa61e9f735078e9b291d2e6215b4942af3f", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in Cyber-III Student-Management-System up to 1a938fa61e9f735078e9b291d2e6215b4942af3f. Affected is an unknown function of the file /admin/Add%20notice/batch-notice.php. Performing a manipulation of the argument $_SERVER['PHP_SELF'] results in cross site scripting. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 2.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 2.4, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 3.3, "vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-05T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-05T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-05T22:41:25.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Z3r0_0 (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/355432", "name": "VDB-355432 | Cyber-III Student-Management-System batch-notice.php cross site scripting", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/355432/cti", "name": "VDB-355432 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/785867", "name": "Submit #785867 | Cyber-III Student-Management-System 1.0 XSS vulnerability", "tags": ["third-party-advisory"]}, {"url": "https://github.com/Cyber-III/Student-Management-System/issues/238", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/Cyber-III/Student-Management-System/", "tags": ["product"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T03:05:33.204228Z", "id": "CVE-2026-5644", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T03:05:43.892Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in Cyber-III Student-Management-System up to 1a938fa61e9f735078e9b291d2e6215b4942af3f. Affected is an unknown function of the file /admin/Add%20notice/batch-notice.php. Performing a manipulation of the argument $_SERVER['PHP_SELF'] results in cross site scripting. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet."}], "id": "CVE-2026-5644", "lastModified": "2026-04-06T10:16:03.190", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "MULTIPLE", "availabilityImpact": "NONE", "baseScore": 3.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.4, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.4, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-06T10:16:03.190", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/Cyber-III/Student-Management-System/"}, {"source": "cna@vuldb.com", "url": "https://github.com/Cyber-III/Student-Management-System/issues/238"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/785867"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/355432"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/355432/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-94"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "1a938fa61e9f735078e9b291d2e6215b4942af3f"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "student-management-system", "vendor": "cyber-iii"}], "analysis": {"en": {"generated_at": "2026-04-06T12:50:27.741949+00:00", "value": {"mitigation_remediation": ["Contact Cyber\u2011III support to obtain a patch or an updated release", "Disable or remove the /admin/Add notice/batch-notice.php function if it is not required for your installation", "Restrict access to the page so that only authenticated administrators can use it", "Validate and encode user input such as $_SERVER['PHP_SELF'] using functions like htmlspecialchars to neutralize injected code", "Deploy a web application firewall rule to block script injection via the vulnerable parameter"], "summary": {"action": "Assess Impact", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The Cyber\u2011III Student\u2011Management\u2011System is affected in any release that contains or precedes commit 1a938fa61e9f735078e9b291d2e6215b4942af3f. No official patch or updated release has been issued, and the project has not responded to the issue.\n\nThe product uses continuous delivery with rolling releases, so version numbers are not clearly identified beyond this commit reference.\n\n\"Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.\"", "description_and_impact": "The vulnerability allows an attacker to inject arbitrary JavaScript code by manipulating the server variable $_SERVER['PHP_SELF'] in the file /admin/Add notice/batch-notice.php, which is then executed in the browsers of users who submit the batch notice.\n\n\"The attack can be initiated remotely.\"", "risk_and_exploitability": "The CVSS score is 4.8, indicating a low\u2011moderate severity level. EPSS data is not available, and the vulnerability is not listed in CISA\u2019s KEV catalog. Exploit code is publicly available, and the flaw can be triggered from a remote location. Because the flaw involves user\u2011controlled input, the attack surface remains open unless the vendor provides a fix or the deployment implements mitigating controls."}}}}, "created": "2026-04-06T20:14:40.870530+00:00", "updated": "2026-04-06T21:32:57.309860+00:00", "vendors": ["cyber-iii", "cyber-iii$PRODUCT$student-management-system"]}