CVE-2026-2156
📋 TL;DR
This vulnerability allows attackers to inject malicious scripts into the Online Student Management System's announcement module, which could execute in other users' browsers. It affects all users of code-projects Online Student Management System 1.0 who have the announcement management module accessible. The attack can be performed remotely without authentication.
💻 Affected Systems
- code-projects Online Student Management System
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator or user session cookies, perform account takeovers, redirect users to malicious sites, or deface the application.
Likely Case
Attackers will likely use this to steal session cookies and hijack administrator accounts to gain full control of the student management system.
If Mitigated
With proper input validation and output encoding, the XSS payloads would be neutralized before reaching users' browsers.
🎯 Exploit Status
The exploit is publicly available on GitHub and requires minimal technical skill to execute. No authentication is required to access the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://code-projects.org/
Restart Required: No
Instructions:
No official patch is available. Consider implementing the workarounds below or replacing the software with a maintained alternative.
🔧 Temporary Workarounds
Input Validation and Output Encoding
allImplement proper input validation and output encoding in /admin/announcement/index.php to sanitize user input before processing and displaying.
Modify PHP code to use htmlspecialchars() or htmlentities() when outputting user-controlled data
Implement Content Security Policy headers
Access Restriction
allRestrict access to the vulnerable endpoint using web server configuration or network controls.
Add 'Deny from all' to .htaccess for /admin/announcement/ directory
Configure firewall rules to block external access to the vulnerable path
🧯 If You Can't Patch
- Implement a Web Application Firewall (WAF) with XSS protection rules
- Disable or remove the announcement management module if not required
🔍 How to Verify
Check if Vulnerable:
Test by submitting a simple XSS payload like <script>alert('XSS')</script> to the /admin/announcement/index.php?view=add endpoint and check if it executes.Check Version:
Check the software version in the application's admin panel or configuration files.Verify Fix Applied:
After implementing fixes, test with the same XSS payload to ensure it's properly sanitized and doesn't execute.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /admin/announcement/index.php containing script tags or JavaScript code
- Multiple failed XSS attempts from same IP
Network Indicators:
- HTTP requests with suspicious parameters containing script tags or encoded JavaScript
- Traffic patterns showing exploitation attempts
SIEM Query:
source="web_logs" AND uri_path="/admin/announcement/index.php" AND (request_body CONTAINS "<script>" OR request_body CONTAINS "javascript:")