CVE-2026-37750

MEDIUM

School Management System - Unauthenticated Reflected Cross-Site Scripting via register.php type Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-37750. PoCs published by menevarad007.

AI-analyzed exploit summary The repository contains a functional exploit for CVE-2026-37750, a reflected XSS vulnerability in School Management System 1.0. The exploit demonstrates the vulnerability by injecting a script payload into the 'type' parameter of register.php, which is reflected unescaped in the HTML output.

Description

A reflected Cross-Site Scripting (XSS) vulnerability in School Management System by mahmoudai1 allows unauthenticated remote attackers to execute arbitrary JavaScript in victim's browsers via the unsanitized type parameter in register.php.

Exploits (1)

nomisec WORKING POC
by menevarad007 · poc
https://github.com/menevarad007/CVE-2026-37750

The repository contains a functional exploit for CVE-2026-37750, a reflected XSS vulnerability in School Management System 1.0. The exploit demonstrates the vulnerability by injecting a script payload into the 'type' parameter of register.php, which is reflected unescaped in the HTML output.

Classification
Working Poc 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: School Management System 1.0
No auth needed
Prerequisites: Target running School Management System 1.0 · Network access to the target
devstral-2 · analyzed May 03, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 6.1
EPSS 0.0037
EPSS Percentile 28.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Published Apr 28, 2026
Tracked Since Apr 29, 2026