CVE-2026-2201

2.4 LOW

Cross-Site Scripting

📋 TL;DR

This CVE describes a cross-site scripting (XSS) vulnerability in ZeroWdd studentmanager's leave request functionality. Attackers can inject malicious scripts via the 'Reason for Leave' parameter, potentially compromising user sessions. The vulnerability affects all versions up to commit 2151560fc0a50ec00426785ec1e01a3763b380d9.

💻 Affected Systems

Products:

• ZeroWdd studentmanager

Versions: All versions up to commit 2151560fc0a50ec00426785ec1e01a3763b380d9

Operating Systems: Any OS running Java applications

Default Config Vulnerable: ⚠️ Yes

Notes: The project uses rolling releases and the repository has been inactive for years, making version tracking difficult.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware on user systems.

🟠

Likely Case

Session hijacking, credential theft, or defacement of the application interface.

🟢

If Mitigated

Limited impact with proper input validation and output encoding in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit details are publicly available, and XSS attacks are commonly weaponized in real-world attacks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch exists. Consider implementing input validation and output encoding in the LeaveController.java file, specifically in the addLeave function.

🔧 Temporary Workarounds

Input Validation and Output Encoding

all

Implement server-side validation of the 'Reason for Leave' parameter and encode all user-controlled output.

Content Security Policy

all

Implement a strict Content Security Policy header to mitigate XSS impact.

🧯 If You Can't Patch

• Implement a web application firewall (WAF) with XSS protection rules
• Disable or restrict access to the vulnerable leave request functionality

🔍 How to Verify

Check if Vulnerable:

Copy

Test by submitting a script payload (e.g., <script>alert('XSS')</script>) in the 'Reason for Leave' field and check if it executes.

Check Version:

Copy

Check the git commit hash or version metadata in the application.

Verify Fix Applied:

Copy

After implementing fixes, test with the same payload to ensure it's properly sanitized or blocked.

📡 Detection & Monitoring

Log Indicators:

• Unusual or long strings in leave request logs containing script tags or JavaScript

Network Indicators:

• HTTP requests with script payloads in parameters

SIEM Query:

Copy

source="application_logs" AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=")

📊 Metadata

CVE ID: CVE-2026-2201

CVSS v3 Score: 2.4 (LOW)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N

CWE: CWE-79

Published: February 9, 2026

Last Updated: February 9, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

• https://vuldb.com/?ctiid.344904
• https://vuldb.com/?id.344904
• https://vuldb.com/?submit.750217
• https://www.yuque.com/clockw1se/lts9x9/mxgrzspnzmpxu7e7

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-2201, you might also want to check these:

CVE-2025-68669 9.6

This CVE describes a remote code execution vulnerability in the 5ire AI assistant desktop applicatio...

Same vulnerability type (CWE-79)

CVE-2025-67787 9.6

A Cross-Site Scripting (XSS) vulnerability in DriveLock Operations Center versions 25.1.2 through 25...

Same vulnerability type (CWE-79)

CVE-2025-66481 9.6

DeepChat versions 0.5.1 and below are vulnerable to cross-site scripting (XSS) attacks through impro...

Same vulnerability type (CWE-79)