CVE-2026-7401 Overview
A stored cross-site scripting (XSS) vulnerability has been identified in SourceCodester CET Automated Grading System with AI Predictive Analytics version 1.0. This vulnerability exists in the Registration component at /index.php?action=register, where improper input validation allows attackers to inject malicious scripts through multiple user-controllable parameters including student_id, full_name, section, and username.
Critical Impact
Unauthenticated attackers can inject persistent malicious scripts that execute in the context of administrator sessions when viewing student registrations, potentially leading to session hijacking, unauthorized actions, or data theft.
Affected Products
- SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0
- Registration Component (/index.php?action=register)
- Admin Dashboard viewing student registration data
Discovery Timeline
- 2026-04-29 - CVE-2026-7401 published to NVD
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2026-7401
Vulnerability Analysis
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting. The affected application fails to properly sanitize user input in the student registration form before storing it in the database and subsequently rendering it in the administrator dashboard.
The attack is particularly concerning because it is a stored XSS vulnerability, meaning the malicious payload persists in the application's database. When an administrator views the student registration list, the injected script executes automatically in their browser context. This can be exploited without any authentication, as the registration form is publicly accessible.
Root Cause
The root cause of this vulnerability is insufficient input validation and output encoding in the Registration component. The application accepts user-supplied data through the student_id, full_name, section, and username parameters without properly sanitizing or escaping special characters. When this data is later displayed in the admin dashboard, it is rendered as HTML/JavaScript rather than as plain text, allowing script execution.
Attack Vector
The attack can be launched remotely over the network and requires user interaction—specifically, an administrator must view the registration data containing the malicious payload. An attacker can submit a crafted registration request containing JavaScript payloads in any of the vulnerable fields. The malicious script is stored in the application database and executes whenever an administrator accesses the student registration list.
The exploitation process involves submitting a registration form with malicious JavaScript embedded in vulnerable parameters. When an administrator views the registration data through the admin dashboard, the stored script executes in their browser session, potentially allowing the attacker to steal session cookies, perform actions on behalf of the administrator, or redirect users to malicious sites. A public proof-of-concept is available in the GitHub PoC Repository.
Detection Methods for CVE-2026-7401
Indicators of Compromise
- Unusual student registration entries containing HTML tags or JavaScript code in the student_id, full_name, section, or username fields
- Database records with script tags, event handlers (e.g., onerror, onclick), or encoded JavaScript payloads
- Administrator sessions being accessed from unexpected IP addresses or locations following admin dashboard usage
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block XSS payloads in registration form submissions
- Review database entries in the student registration table for suspicious content patterns such as <script>, javascript:, or HTML event handlers
- Monitor HTTP request logs for registration submissions containing encoded or obfuscated script payloads
Monitoring Recommendations
- Enable logging for all registration form submissions and review for anomalous input patterns
- Configure alerts for administrator session anomalies that may indicate session hijacking
- Deploy browser-based content security policy (CSP) monitoring to detect inline script execution attempts
How to Mitigate CVE-2026-7401
Immediate Actions Required
- Restrict access to the CET Automated Grading System registration page until proper input validation is implemented
- Review existing database records for malicious content and sanitize or remove compromised entries
- Implement Content Security Policy (CSP) headers to mitigate the impact of any successful XSS injection
- Consider deploying a web application firewall (WAF) to filter malicious input patterns
Patch Information
No official vendor patch has been released at the time of publication. Organizations using SourceCodester CET Automated Grading System should monitor the SourceCodester Repository for security updates. Additional vulnerability details are available at VulDB #360133.
Workarounds
- Implement server-side input validation to strip or reject HTML tags and JavaScript code from all user-supplied fields in the registration form
- Apply output encoding (HTML entity encoding) when displaying user-supplied data in the admin dashboard
- Deploy a web application firewall with XSS protection rules enabled to filter malicious requests before they reach the application
# Example: Add Content-Security-Policy header in Apache configuration
# Add to .htaccess or Apache virtual host configuration
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none';"
# For nginx, add to server block:
# add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none';";
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
