CVE-2026-2201 identifies a cross-site scripting (XSS) vulnerability in the ZeroWdd studentmanager application, affecting versions up to commit 2151560fc0a50ec00426785ec1e01a3763b380d9. The flaw exists in the addLeave function within the LeaveController.java source file, where the 'Reason for Leave' input parameter is not properly sanitized or encoded before being reflected in the web interface. This allows an attacker to inject arbitrary JavaScript code that executes in the context of the victim's browser when they view the affected page. The vulnerability can be exploited remotely without authentication, but requires user interaction such as clicking a malicious link or submitting a crafted form. The product follows a rolling release model for updates; however, the code repository has been inactive for years, indicating that official patches or updates may not be forthcoming. The CVSS 4.0 score of 4.8 reflects a medium severity, considering the ease of remote exploitation but limited impact on confidentiality and availability. The vulnerability could be leveraged to steal session cookies, perform actions on behalf of users, or deface the web interface. No known exploits are currently observed in the wild, but public disclosure increases the risk of exploitation attempts.

The primary impact of this XSS vulnerability is on the confidentiality and integrity of user sessions and data within the ZeroWdd studentmanager application. Attackers can execute arbitrary scripts in the context of authenticated users, potentially stealing session tokens, personal information, or performing unauthorized actions. This can lead to account compromise, data leakage, and reputational damage for organizations using the software. Since the application is likely used in educational environments to manage student leave records, exposure could disrupt administrative processes and erode trust. The lack of active maintenance and patch availability increases the risk of prolonged exposure. While availability impact is minimal, the integrity and confidentiality risks are significant enough to warrant attention. Organizations worldwide using this software or its derivatives face potential targeted attacks, especially if attackers craft phishing campaigns exploiting this vulnerability.

To mitigate CVE-2026-2201, organizations should implement strict input validation and output encoding on the 'Reason for Leave' parameter to neutralize malicious scripts. Employing context-aware encoding (e.g., HTML entity encoding) before rendering user input in web pages is critical. If source code modification is possible, developers should sanitize inputs using established libraries or frameworks that prevent XSS. Deploying a Web Application Firewall (WAF) with rules to detect and block XSS payloads can provide an additional protective layer. Given the inactivity of the official code repository, organizations should consider migrating to actively maintained alternatives or forks. User education to recognize phishing attempts and suspicious links can reduce the risk of exploitation via social engineering. Regular security assessments and penetration testing focused on web application vulnerabilities are recommended. Monitoring logs for unusual input patterns or error messages related to the addLeave function can help detect exploitation attempts early.