CVE-2026-4575 is a cross-site scripting vulnerability identified in the code-projects Exam Form Submission software, specifically version 1.0. The vulnerability arises from improper handling of the 'sname' parameter in the /admin/update_s2.php endpoint. This parameter is susceptible to injection of malicious JavaScript code because the application fails to adequately sanitize or encode user input before rendering it in the web interface. The attack vector is remote and does not require authentication bypass, but it does require the attacker to have high privileges (PR:H) and user interaction (UI:P), such as tricking an administrator into clicking a crafted link or submitting a malicious form. The CVSS 4.0 vector indicates no impact on confidentiality or availability, but a low impact on integrity, as the attacker can execute scripts in the context of the victim's browser session. This could lead to session hijacking, defacement, or redirection to malicious sites. Although an exploit has been published, there are no known widespread attacks exploiting this vulnerability in the wild. The vulnerability is limited to version 1.0 of the Exam Form Submission product, and no patches have been officially released yet. The vulnerability is classified as medium severity with a CVSS score of 4.8, reflecting the moderate risk posed by the requirement for high privileges and user interaction.

The primary impact of CVE-2026-4575 is the potential for attackers to execute arbitrary scripts in the context of an authenticated administrator's browser session. This can lead to session hijacking, unauthorized actions performed on behalf of the administrator, or defacement of the administrative interface. While confidentiality and availability are not directly affected, the integrity of administrative operations can be compromised. Organizations using the affected software may face risks of unauthorized data manipulation or exposure of sensitive administrative functions. The requirement for high privileges and user interaction limits the scope of exploitation but does not eliminate risk, especially in environments where administrators may be targeted via phishing or social engineering. The lack of known active exploitation reduces immediate threat but does not preclude future attacks, especially given that a public exploit is available. This vulnerability could undermine trust in the affected application and disrupt administrative workflows if exploited.

To mitigate CVE-2026-4575, organizations should implement strict input validation and output encoding for the 'sname' parameter in the /admin/update_s2.php endpoint. Specifically, applying context-aware encoding (e.g., HTML entity encoding) before rendering user input can prevent script injection. Until an official patch is released, administrators should consider restricting access to the vulnerable administrative interface via network segmentation or VPN to reduce exposure. Employing Content Security Policy (CSP) headers can help limit the impact of injected scripts by restricting script sources. Additionally, educating administrators about phishing and social engineering risks can reduce the likelihood of user interaction exploitation. Monitoring web server logs for suspicious requests targeting the 'sname' parameter and anomalous administrator behavior can aid in early detection. Finally, organizations should track vendor updates and apply patches promptly once available.