Skip to main content

CET Grading System CVE-2026-12176

| EUVDEUVD-2026-36656 LOW
Cross-site Scripting (XSS) (CWE-79)
2026-06-13 VulDB GHSA-p2hp-3j63-rx7r
2.1
CVSS 4.0 · Vendor: VulDB

Severity by source

Vendor (VulDB) PRIMARY
2.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.1 MEDIUM

Network-delivered reflected XSS with no auth required, victim must click; scope changes as script executes in browser origin beyond the server component.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
Severity Changed
Jun 14, 2026 - 00:22 NVD
MEDIUM LOW
CVSS changed
Jun 14, 2026 - 00:22 NVD
5.3 (MEDIUM) 2.1 (LOW)
Analysis Generated
Jun 13, 2026 - 23:51 vuln.today

DescriptionCVE.org

A vulnerability has been found in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0. The impacted element is an unknown function of the file /index.php. The manipulation of the argument action leads to cross site scripting. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used.

AnalysisAI

Cross-site scripting in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0 allows remote attackers to inject and execute arbitrary JavaScript in a victim's browser via the unsanitized action parameter in /index.php. Publicly available exploit code exists (CVSS 4.0 E:P), and the attack requires no authentication, only that a victim interact with a crafted URL or request. No vendor-released patch has been identified at time of analysis.

Technical ContextAI

The affected product is a PHP-based educational web application developed by SourceCodester, identified by CPE cpe:2.3:a:sourcecodester:cet_automated_grading_system_with_ai_predictive_analytics:*:*:*:*:*:*:*:*. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-Site Scripting), specifically a failure to sanitize or encode user-controlled input in the action GET/POST parameter before reflecting it into HTML output within /index.php. This class of flaw arises when server-side PHP code passes unsanitized user input directly into rendered HTML without applying functions such as htmlspecialchars(). The wildcard version specifier in the CPE string suggests all available releases may be affected, not just version 1.0.

RemediationAI

No vendor-released patch has been identified at time of analysis. The primary remediation is to apply proper output encoding for the action parameter in /index.php using PHP's htmlspecialchars() with the ENT_QUOTES flag before any reflection into HTML context, and to validate that the parameter value matches an expected allowlist of actions. If the application cannot be immediately patched, operators should consider deploying a Web Application Firewall (WAF) rule to block requests with script injection patterns in the action parameter - note this is a compensating control only and may be bypassed with encoding variants. Restricting access to the application to trusted internal networks or authenticated VPN sessions will eliminate the network-exposed attack surface at the cost of external accessibility. Administrators should monitor VulDB entry https://vuldb.com/vuln/370818 and https://www.sourcecodester.com/ for any upstream patch release.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-12176 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy