{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2939", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-02-21T15:14:14.765Z", "datePublished": "2026-02-22T09:32:09.695Z", "dateUpdated": "2026-02-25T18:26:22.340Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-22T09:32:09.695Z"}, "title": "itsourcecode Student Management System Add Student add_student cross site scripting", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "Cross Site Scripting"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "Code Injection"}]}], "affected": [{"vendor": "itsourcecode", "product": "Student Management System", "versions": [{"version": "1.0", "status": "affected"}], "modules": ["Add Student Module"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in itsourcecode Student Management System 1.0. The impacted element is an unknown function of the file /add_student/ of the component Add Student Module. The manipulation results in cross site scripting. It is possible to launch the attack remotely. The exploit has been made public and could be used."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 2.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 2.4, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 3.3, "vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-02-21T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-02-21T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-02-21T16:19:25.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "AS-AbdulSamad (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.347311", "name": "VDB-347311 | itsourcecode Student Management System Add Student add_student cross site scripting", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/?ctiid.347311", "name": "VDB-347311 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.755977", "name": "Submit #755977 | ITSOURCECODE Student Management System 1.0 Improper Neutralization of Alternate XSS Syntax", "tags": ["third-party-advisory"]}, {"url": "https://github.com/AS-AbdulSamad/CVE-1/tree/main", "tags": ["related"]}, {"url": "https://drive.google.com/file/d/1a-qY55pgynQviBw9UxPoIDs-UNgz6zOH/view", "tags": ["exploit"]}, {"url": "https://itsourcecode.com/", "tags": ["product"]}], "tags": ["x_freeware"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-25T18:26:11.772090Z", "id": "CVE-2026-2939", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T18:26:22.340Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2939", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-25T18:26:11.772090Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T18:26:16.804Z"}}], "cna": {"tags": ["x_freeware"], "title": "itsourcecode Student Management System Add Student add_student cross site scripting", "credits": [{"lang": "en", "type": "reporter", "value": "AS-AbdulSamad (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 2.4, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 2.4, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 3.3, "vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "itsourcecode", "modules": ["Add Student Module"], "product": "Student Management System", "versions": [{"status": "affected", "version": "1.0"}]}], "timeline": [{"lang": "en", "time": "2026-02-21T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-02-21T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-02-21T16:19:25.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.347311", "name": "VDB-347311 | itsourcecode Student Management System Add Student add_student cross site scripting", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/?ctiid.347311", "name": "VDB-347311 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.755977", "name": "Submit #755977 | ITSOURCECODE Student Management System 1.0 Improper Neutralization of Alternate XSS Syntax", "tags": ["third-party-advisory"]}, {"url": "https://github.com/AS-AbdulSamad/CVE-1/tree/main", "tags": ["related"]}, {"url": "https://drive.google.com/file/d/1a-qY55pgynQviBw9UxPoIDs-UNgz6zOH/view", "tags": ["exploit"]}, {"url": "https://itsourcecode.com/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in itsourcecode Student Management System 1.0. The impacted element is an unknown function of the file /add_student/ of the component Add Student Module. The manipulation results in cross site scripting. It is possible to launch the attack remotely. The exploit has been made public and could be used."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Cross Site Scripting"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "Code Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-22T09:32:09.695Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2939", "state": "PUBLISHED", "dateUpdated": "2026-02-25T18:26:22.340Z", "dateReserved": "2026-02-21T15:14:14.765Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-02-22T09:32:09.695Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:itsourcecode:student_management_system:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "74BD4C69-0CA6-4526-8292-17D11CBC5BFB", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in itsourcecode Student Management System 1.0. The impacted element is an unknown function of the file /add_student/ of the component Add Student Module. The manipulation results in cross site scripting. It is possible to launch the attack remotely. The exploit has been made public and could be used."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad en itsourcecode Student Management System 1.0. El elemento afectado es una funci\u00f3n desconocida del archivo /add_student/ del componente Add Student Module. La manipulaci\u00f3n resulta en cross-site scripting. Es posible lanzar el ataque de forma remota. El exploit se ha hecho p\u00fablico y podr\u00eda ser usado."}], "id": "CVE-2026-2939", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "MULTIPLE", "availabilityImpact": "NONE", "baseScore": 3.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.4, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.4, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 1.9, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-02-22T10:15:56.520", "references": [{"source": "cna@vuldb.com", "tags": ["Exploit"], "url": "https://drive.google.com/file/d/1a-qY55pgynQviBw9UxPoIDs-UNgz6zOH/view"}, {"source": "cna@vuldb.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/AS-AbdulSamad/CVE-1/tree/main"}, {"source": "cna@vuldb.com", "tags": ["Product"], "url": "https://itsourcecode.com/"}, {"source": "cna@vuldb.com", "tags": ["Permissions Required", "VDB Entry"], "url": "https://vuldb.com/?ctiid.347311"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?id.347311"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?submit.755977"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-94"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "1.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Student Management System", "source": "cna", "vendor": "itsourcecode"}, "product": "student_management_system", "vendor": "itsourcecode"}], "analysis": {"en": {"generated_at": "2026-04-17T16:32:22.125701+00:00", "value": {"mitigation_remediation": ["Apply any vendor\u2011issued patch or upgrade the Student Management System to a version that fixes the XSS issue in the Add Student module", "When a patch is not yet available, implement server\u2011side input validation to reject or sanitize script tags and other special characters before they are rendered", "Configure a web application firewall or use output\u2011encoding libraries to encode HTML entities in the rendered page to protect against reflected XSS"], "summary": {"action": "Immediate Patch", "impact": "Cross\u2011Site Scripting (XSS) via remote input"}, "threat_synthesis": {"affected_systems": "The flaw affects itsourcecode Student Management System version 1.0. No other affected versions are listed.", "description_and_impact": "A flaw was discovered in the Student Management System 1.0, where an unknown function in the \"/add_student/\" module accepts unsanitized input that is reflected into web pages. This vulnerability allows an attacker to inject malicious scripts that execute in the browsers of users who view the affected pages. Because the attack is performed remotely through the web interface, any user who visits a crafted page could suffer from cookie theft, session hijacking, or defacement of the user interface. The public availability of the exploit increases the potential for real\u2011world attacks.", "risk_and_exploitability": "The CVSS score for this issue is 4.8, indicating moderate severity. The EPSS score is less than 1\u202f%, suggesting a low probability of exploitation at the time of assessment, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a remote web request to the Add Student form, where unsanitized values are reflected back to the client without proper escaping or filtering. An attacker with internet access can construct a malicious payload that is delivered to end\u2011users via the application, enabling client\u2011side code execution."}}}}, "created": "2026-02-23T14:29:18.571467+00:00", "updated": "2026-04-17T16:45:15.819157+00:00", "vendors": ["itsourcecode", "itsourcecode$PRODUCT$student_management_system"]}