{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4909", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-03-26T16:05:14.223Z", "datePublished": "2026-03-27T02:25:24.360Z", "dateUpdated": "2026-03-27T02:25:24.360Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-27T02:25:24.360Z"}, "title": "code-projects Exam Form Submission update_s7.php cross site scripting", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "Cross Site Scripting"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "Code Injection"}]}], "affected": [{"vendor": "code-projects", "product": "Exam Form Submission", "versions": [{"version": "1.0", "status": "affected"}, {"version": "7.php", "status": "affected"}], "cpes": ["cpe:2.3:a:code-projects:exam_form_submission:*:*:*:*:*:*:*:*"]}], "descriptions": [{"lang": "en", "value": "A weakness has been identified in code-projects Exam Form Submission 1.0/7.php. This impacts an unknown function of the file /admin/update_s7.php. This manipulation of the argument sname causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 2.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 2.4, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 3.3, "vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-03-26T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-03-26T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-03-26T17:10:18.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Niuzzz (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.353660", "name": "VDB-353660 | code-projects Exam Form Submission update_s7.php cross site scripting", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.353660", "name": "VDB-353660 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.777502", "name": "Submit #777502 | code-projects Exam Form Submission V1.0 cross site scripting", "tags": ["third-party-advisory"]}, {"url": "https://github.com/Niuzzz123/CVE-Niuzzz/issues/1", "tags": ["exploit", "issue-tracking"]}, {"url": "https://code-projects.org/", "tags": ["product"]}], "tags": ["x_freeware"]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in code-projects Exam Form Submission 1.0/7.php. This impacts an unknown function of the file /admin/update_s7.php. This manipulation of the argument sname causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks."}], "id": "CVE-2026-4909", "lastModified": "2026-03-27T03:16:02.763", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "MULTIPLE", "availabilityImpact": "NONE", "baseScore": 3.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.4, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.4, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-03-27T03:16:02.763", "references": [{"source": "cna@vuldb.com", "url": "https://code-projects.org/"}, {"source": "cna@vuldb.com", "url": "https://github.com/Niuzzz123/CVE-Niuzzz/issues/1"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.353660"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.353660"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.777502"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-94"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-27T07:05:13.720203+00:00", "value": {"mitigation_remediation": ["Check for an available patch or newer version of Exam Form Submission and upgrade if possible.", "If no patch exists, modify update_s7.php to validate or encode the sname input to eliminate script injection.", "Restrict access to the /admin/update_s7.php endpoint to trusted administrators only, enforcing authentication and role-based controls.", "Implement a Content-Security-Policy header or a web application firewall to mitigate any residual XSS risk.", "Monitor web application logs for suspicious requests to /admin/update_s7.php and investigate immediately."], "summary": {"action": "Patch", "impact": "Cross-site scripting (XSS)"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the code-projects Exam Form Submission product, specifically the file update_s7.php in the /admin directory of the application. No additional versions or products are listed as impacted; the description refers to the application as an overall product without a precise version list.", "description_and_impact": "A cross-site scripting vulnerability exists in the code-projects Exam Form Submission application. The flaw is located in the admin endpoint /admin/update_s7.php and is triggered when an attacker crafts a malicious value for the sname query parameter. The input is not properly validated or sanitized, allowing an attacker to inject arbitrary client-side scripts that run in the context of the victim\u2019s browser. Such a script can steal session cookies, deface pages, or execute further malicious actions on behalf of the user.", "risk_and_exploitability": "The CVSS base score of 4.8 indicates a moderate severity, reflecting the potential compromise of confidentiality, integrity, and availability of session data. The attack can be carried out remotely by sending a crafted HTTP request that includes a malicious sname value; the vulnerability is publicly available through the referenced discovery reports. The flaw is not listed in the CISA KEV catalog, and no EPSS score is provided. Because the vulnerability requires the victim to load the affected page, successful exploitation depends on user interaction, but the remote nature and lack of input restrictions increase the likelihood that an attacker could deliver the payload. Administrators should treat this as a high-priority patching issue."}}}}, "created": "2026-03-27T09:22:21.308693+00:00", "updated": "2026-03-27T09:22:21.308715+00:00", "vendors": []}