CVE-2026-1421 identifies a cross-site scripting (XSS) vulnerability in the code-projects Online Examination System version 1.0. The vulnerability resides in an unspecified function within the Add Pages component, which improperly sanitizes user input, allowing attackers to inject malicious JavaScript code. This vulnerability is remotely exploitable without requiring authentication, but it requires user interaction to trigger the malicious script execution, such as a victim clicking a crafted link or viewing a manipulated page. The CVSS 4.0 base score is 5.1, indicating a medium severity level, reflecting the ease of exploitation (network accessible, low attack complexity) but limited impact scope (partial integrity and confidentiality impact, no availability impact). The vulnerability can lead to execution of arbitrary scripts in the context of the victim's browser, potentially enabling session hijacking, theft of sensitive information, or manipulation of exam content and results. No patches or official fixes have been released yet, and no known exploits are reported in the wild. The disclosure of the vulnerability means attackers could develop exploits, increasing risk over time. The Online Examination System is likely used by educational institutions or certification bodies, making the integrity and confidentiality of exam data critical. The lack of authentication requirement for exploitation increases the attack surface, but user interaction is necessary, which somewhat limits automated exploitation.

The primary impact of this XSS vulnerability is the compromise of confidentiality and integrity within the Online Examination System environment. Attackers can execute arbitrary scripts in users' browsers, potentially stealing session cookies, credentials, or personal data, leading to unauthorized access or impersonation. The integrity of exam content and results could be manipulated, undermining trust in the examination process. Although availability is not directly affected, successful exploitation could cause reputational damage and operational disruptions for organizations relying on this system. Educational institutions, certification authorities, and students are the main stakeholders at risk. The remote and unauthenticated nature of the vulnerability increases exposure, especially if users are tricked into interacting with malicious content. The absence of known exploits in the wild currently limits immediate widespread impact, but public disclosure raises the likelihood of future attacks. Organizations worldwide using this product without mitigations are vulnerable to targeted or opportunistic attacks that could compromise exam security and user privacy.

To mitigate CVE-2026-1421, organizations should implement strict input validation and output encoding on all user-supplied data within the Add Pages component to prevent injection of malicious scripts. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Limit user privileges to reduce the potential impact of exploited accounts. Educate users about the risks of clicking unknown or suspicious links to reduce successful user interaction exploitation. Monitor web application logs for unusual input patterns or script injection attempts. Since no official patch is available, consider applying temporary workarounds such as disabling or restricting the vulnerable Add Pages functionality until a vendor fix is released. Conduct regular security assessments and penetration testing focused on XSS vulnerabilities. Finally, keep abreast of vendor announcements for patches or updates addressing this issue and apply them promptly upon release.