July 11, 2026
Here’s your Medium article on CVE-2026–10112
CVE-2026–10112: Low-Severity XSS Flaw Found in Student Management System Dashboard

By CyberPodcast
2 min read
CVE-2026–10112: Low-Severity XSS Flaw Found in Student Management System Dashboard
A stored cross-site scripting vulnerability in the Dashboard Page of sambitraj's STUDENT-MANAGEMENT-SYSTEM 1.0 allows a privileged attacker to inject malicious scripts through the Name field, though its practical impact is limited by high privilege requirements.[nvd.nist]
What Is STUDENT-MANAGEMENT-SYSTEM
STUDENT-MANAGEMENT-SYSTEM is the same open-source educational platform by developer sambitraj that has been the source of several recent CVE disclosures, including the login-page SQL injection tracked as CVE-2026–10111. This particular flaw sits in a different area of the application: the Dashboard Page, where user-submitted names are rendered without adequate sanitization.[feedly]
The Vulnerability Explained
The bug arises when the application takes the Name argument submitted through the Dashboard Page and renders it back into the page without properly neutralizing HTML or JavaScript content. This is a textbook cross-site scripting flaw, classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and, according to VulDB, also CWE-94 (Improper Control of Generation of Code).[nvd.nist]
Unlike many XSS bugs that any anonymous visitor can trigger, this one requires an authenticated user with high privileges to submit the malicious payload, and it additionally requires user interaction from a victim who views the affected page. That combination of prerequisites is precisely why the vulnerability, despite being remotely exploitable, still lands in the low severity range.[dbugs.ptsecurity]
Severity Assessment
Scoring for this CVE varies notably depending on the framework and version used, reflecting genuine analytical disagreement about how much the privilege and interaction requirements should discount the risk.
AttributeDetailAffected softwaresambitraj STUDENT-MANAGEMENT-SYSTEM 1.0 [nvd.nist]Vulnerable componentDashboard Page (Name parameter) [nvd.nist]Vulnerability typeCross-site scripting (CWE-79, CWE-94) [nvd.nist]CVSS v3.1 score2.4–3.3 (Low) [feedly]CVSS v4.0 score1.9 (Low) [nvd.nist]Attack vectorNetwork, but requires high privileges and user interaction [feedly]Exploit statusPublicly disclosed, no confirmed PoC in the wild [feedly]Patch availableYes, GHSA-2hcf-jmx4-h26p [feedly]PublishedMay 30, 2026 [feedly]
How an Attacker Exploits It
Because the attacker needs high-level privileges to reach the vulnerable field, this isn't a bug that random unauthenticated visitors can weaponize directly. Instead, a malicious insider or an attacker who has already compromised a privileged account can inject a crafted script into the Name field, which then executes in the browser of any other user who subsequently views the Dashboard Page.[feedly]
Successful exploitation could allow the attacker to steal session cookies, perform unauthorized actions on behalf of the victim, or deface the dashboard interface for other viewers. Notably, the project maintainer was informed of the issue early through a GitHub issue report but had not responded at the time of disclosure, even though a patch was eventually made available via GitHub Advisories.[nvd.nist]
Remediation Guidance
Unlike the related SQL injection flaws in this same software family, this vulnerability already has a fix ready to deploy.
- Apply the patch published in GitHub Security Advisory GHSA-2hcf-jmx4-h26p immediately.[feedly]
- Implement proper input validation and output encoding for the Name parameter on the Dashboard Page.[feedly]
- Deploy a Web Application Firewall configured to detect and block common XSS payload patterns.[feedly]
- Educate high-privilege users about the risks of viewing untrusted content or clicking suspicious links within the dashboard.[feedly]
- Audit accounts with high privileges regularly, since exploitation depends on an attacker already holding elevated access.[feedly]
Why This Matters
Even low-severity XSS bugs deserve attention when they exist inside applications with a documented pattern of unresolved security issues, since chaining a privilege-escalation bug with this flaw could produce a more serious attack path. The fact that a patch is already available makes this one of the more straightforward fixes among the recent wave of CVEs affecting this project, and administrators should apply it promptly rather than deprioritizing it due to its low score.[nvd.nist]