CVE-2026-3402 identifies a cross-site scripting (XSS) vulnerability in the PHPGurukul Student Record Management System version 1.0, specifically within the /edit-course.php script. The vulnerability stems from inadequate input validation and output encoding of the 'Course Short Name' parameter, which can be manipulated by an attacker to inject malicious JavaScript code. This flaw allows remote attackers to craft URLs or form submissions that, when visited or submitted by an authenticated user, execute arbitrary scripts in the victim's browser context. The attack vector is network-based (AV:N), requires low attack complexity (AC:L), no privileges (PR:H but with user interaction UI:P), and no user authentication is needed to initiate the attack, though user interaction is required to trigger the payload. The vulnerability primarily affects the confidentiality and integrity of user sessions and data by enabling session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. The vulnerability does not affect availability and has no scope change or security requirement changes. Although no public patches are currently linked, the disclosure of the exploit code increases the risk of exploitation. The vulnerability is rated medium severity with a CVSS 4.8 score, reflecting moderate impact and exploitability. The affected product is primarily used in educational institutions for managing student records, making the confidentiality of student data and administrative integrity critical concerns.

The primary impact of CVE-2026-3402 is the potential compromise of user sessions and data integrity within educational institutions using the PHPGurukul Student Record Management System. Attackers exploiting this XSS vulnerability can execute arbitrary scripts in the context of authenticated users, potentially stealing session cookies, redirecting users to malicious sites, or performing unauthorized actions. This can lead to unauthorized access to sensitive student records, manipulation of course data, and erosion of trust in the system. While the vulnerability does not directly affect system availability, the indirect consequences such as phishing, credential theft, and data tampering can disrupt institutional operations and lead to reputational damage. The risk is heightened in environments where users have elevated privileges or where the system interfaces with other critical educational or administrative platforms. The public disclosure of the exploit code increases the likelihood of opportunistic attacks, especially in institutions with limited cybersecurity defenses or delayed patching processes.

To mitigate CVE-2026-3402, organizations should implement strict input validation and output encoding on the 'Course Short Name' parameter within the /edit-course.php file to neutralize malicious scripts. Employing a web application firewall (WAF) with rules targeting XSS payloads can provide an additional layer of defense. Administrators should review and restrict user permissions to minimize the impact of any successful exploitation, ensuring that only trusted users can access course editing functionalities. Regular security audits and code reviews focused on input handling should be conducted to identify and remediate similar vulnerabilities. Since no official patch is currently available, consider isolating the affected module or restricting access to it via network segmentation or VPN access until a fix is released. User education on recognizing phishing and suspicious links can reduce the risk of successful social engineering attacks leveraging this vulnerability. Monitoring web server logs for unusual parameter values or repeated injection attempts can help detect exploitation attempts early.