CVE-2026-4973 identifies a cross-site scripting vulnerability in SourceCodester Online Quiz System version 1.0, specifically in the add-question.php file's quiz_question parameter. This parameter does not properly sanitize user input, allowing attackers to inject malicious JavaScript code. The vulnerability is remotely exploitable without authentication, though it requires user interaction to execute the malicious script. The attack vector is network-based with low attack complexity and no privileges required, but user interaction is necessary to trigger the payload. The vulnerability impacts confidentiality and integrity by enabling attackers to steal session cookies, perform actions on behalf of users, or manipulate quiz content. The CVSS 4.0 vector indicates no impact on availability or system control but highlights the risk of user data compromise. Although no active exploits have been observed in the wild, a public exploit exists, increasing the risk of exploitation. The lack of vendor patches or official remediation guidance necessitates immediate defensive measures. This vulnerability is particularly relevant for educational institutions and organizations using SourceCodester's Online Quiz System for assessments or training.

The primary impact of CVE-2026-4973 is the compromise of user confidentiality and integrity within the affected Online Quiz System. Attackers can execute arbitrary scripts in the context of the victim's browser, potentially stealing session tokens, credentials, or other sensitive information. This can lead to unauthorized access to user accounts or manipulation of quiz data, undermining the trustworthiness of assessments. The vulnerability does not affect system availability directly but can cause reputational damage and loss of user confidence. Since the exploit is remotely executable and requires no authentication, any exposed instance of the vulnerable software is at risk. Organizations relying on this system for educational or certification purposes may face data breaches or fraudulent activity. The medium severity score reflects moderate risk but should not be underestimated given the public availability of exploits.

To mitigate CVE-2026-4973, organizations should implement strict input validation and output encoding on the quiz_question parameter to neutralize malicious scripts. Employing a web application firewall (WAF) with rules targeting XSS payloads can provide an additional layer of defense. Since no official patch is currently available, consider isolating the affected application from public networks or restricting access to trusted users only. Educate users about the risks of clicking suspicious links or submitting untrusted content. Regularly monitor logs for unusual activity related to add-question.php requests. If possible, update or replace the vulnerable software with a version that addresses this issue. Conduct security testing, including automated scanning and manual code review, to identify and remediate similar vulnerabilities in custom or third-party components. Finally, implement Content Security Policy (CSP) headers to limit the impact of potential XSS attacks.