{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-37750", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-28T19:49:13.220Z", "dateReserved": "2026-04-06T00:00:00.000Z", "datePublished": "2026-04-28T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-28T19:49:13.220Z"}, "descriptions": [{"lang": "en", "value": "A reflected Cross-Site Scripting (XSS) vulnerability in School Management System by mahmoudai1 allows unauthenticated remote attackers to execute arbitrary JavaScript in victim's browsers via the unsanitized type parameter in register.php."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/mahmoudai1/school-management-system"}, {"url": "https://github.com/mahmoudai1/school-management-system/blob/main/register.php"}, {"url": "https://github.com/menevarad007/CVE-2026-37750"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}}, "dataVersion": "5.2"}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A reflected Cross-Site Scripting (XSS) vulnerability in School Management System by mahmoudai1 allows unauthenticated remote attackers to execute arbitrary JavaScript in victim's browsers via the unsanitized type parameter in register.php."}], "id": "CVE-2026-37750", "lastModified": "2026-04-28T22:16:49.330", "metrics": {}, "published": "2026-04-28T22:16:49.330", "references": [{"source": "cve@mitre.org", "url": "https://github.com/mahmoudai1/school-management-system"}, {"source": "cve@mitre.org", "url": "https://github.com/mahmoudai1/school-management-system/blob/main/register.php"}, {"source": "cve@mitre.org", "url": "https://github.com/menevarad007/CVE-2026-37750"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Received"}

{}

{"analysis": {"en": {"generated_at": "2026-04-29T01:30:56.579058+00:00", "value": {"mitigation_remediation": ["Validate and sanitize the 'type' query parameter before it is used or echoed in register.php.", "Remove the echo of the unsanitized 'type' value from responses to prevent reflection.", "Implement a Content Security Policy that limits the sources from which JavaScript can load, thereby mitigating the impact of any remaining reflected input."], "summary": {"action": "Patch", "impact": "Reflected Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The vulnerability is present in the School Management System repository hosted by mahmoudai1 on GitHub. No specific version information has been provided, so the issue affects all available releases of the application as distributed in that repository.", "description_and_impact": "A reflected Cross\u2011Site Scripting vulnerability exists in the School Management System by mahmoudai1. An unauthenticated attacker can supply an arbitrary value for the 'type' query parameter in register.php. The value is returned unescaped in the browser, allowing an attacker to inject and execute malicious JavaScript within the victim\u2019s browser context. This client\u2011side execution can lead to session hijacking, credential theft, defacement, or phishing attempts against users who visit the vulnerable page.", "risk_and_exploitability": "Because the flaw is triggered by a GET parameter and does not require authentication, any external user can exploit it. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. The lack of an advisory or patch suggests that exploitation is straightforward, making the risk high. An attacker can inject scripts that run in the context of any user who accesses the malformed URL."}}}}, "created": "2026-04-29T01:45:25.993760+00:00", "title": "Unsanitized \u2018type\u2019 Parameter Leads to Reflected XSS in School Management System", "updated": "2026-04-29T01:45:25.993773+00:00", "vendors": [], "weaknesses": ["CWE-79"]}