Skip to main content

School Student Management System CVE-2026-10169

| EUVD-2026-33489 LOW
Weak Password Recovery Mechanism for Forgotten Password (CWE-640)
2026-05-31 VulDB GHSA-2g5r-9gqc-w68v
Information Disclosure PHP
2.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.9 LOW
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
May 31, 2026 - 05:29 vuln.today
CVSS changed
May 31, 2026 - 05:22 NVD
3.7 (LOW) 2.9 (LOW)

DescriptionCVE.org

A vulnerability was detected in OUSL-GROUP-BrinaryBrains School Student Management System up to 1e70e5ad1125b86dca4ee086eb6bb121f17708b6. Affected by this vulnerability is the function ajax_forgot_password of the file application/controllers/Login.php of the component Forgot Password Endpoint. The manipulation of the argument email results in weak password recovery. The attack can be launched remotely. This attack is characterized by high complexity. The exploitation appears to be difficult. The exploit is now public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Weak password recovery in the BrinaryBrains School Student Management System (OUSL-GROUP-BrinaryBrains) exposes its Forgot Password endpoint to remote manipulation of the email argument, enabling attackers to abuse the flawed recovery mechanism and achieve limited unauthorized account integrity impact. The CVSS 4.0 score of 2.9 reflects high attack complexity (AC:H), constraining real-world exploitability despite publicly available exploit code (E:P). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed Forgot Password endpoint
Delivery
Send crafted request with target email
Exploit
Exploit weak token generation or validation logic
Execution
Obtain or predict valid reset token
Persist
Submit token to reset target account password
Impact
Achieve unauthorized account access with limited integrity impact
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The Forgot Password endpoint (`ajax_forgot_password` in `application/controllers/Login.php`) must be network-reachable, which is the expected deployment configuration for a web-based school management system. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 2.9 is driven primarily by AC:H (High Attack Complexity), which substantially reduces practical exploitability - specific conditions beyond simple network access must be satisfied for the attack to succeed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated remote attacker accesses the publicly reachable Forgot Password endpoint and crafts requests manipulating the email parameter - for example, enumerating valid user accounts or triggering predictable reset token generation for a target account. Due to the high attack complexity, the attacker must satisfy specific conditions (such as timing, token prediction logic, or a multi-step interaction with the recovery flow) before achieving limited account integrity impact such as unauthorized password reset. …
Remediation No vendor-released patch has been identified at time of analysis - the project maintainer was notified via coordinated disclosure but has not responded. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49952 CRITICAL POC
9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
CVE-2026-49954 HIGH POC
8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
CVE-2026-27053 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
CVE-2026-49104 CRITICAL
9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

Share

CVE-2026-10169 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy