Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A security flaw has been discovered in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0. This affects an unknown function. Performing a manipulation results in cross-site request forgery. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks.
AnalysisAI
Cross-site request forgery in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0 enables remote attackers to perform unauthorized state-changing actions by tricking an authenticated user into visiting a malicious page. The CVSS 4.0 vector (VI:L, SC:N/SI:N/SA:N) confirms impact is limited to low-level integrity degradation on the vulnerable system with no confidentiality or availability consequence. A publicly available exploit (PoC HTML page and advisory) has been released to GitHub by researcher NARKHEDE-VAIBHAV; no public exploit identified at time of analysis as confirmed actively exploited (CISA KEV).
Technical ContextAI
CWE-352 (Cross-Site Request Forgery) describes a class of vulnerabilities where a web application fails to verify that state-changing HTTP requests originate from the authenticated user rather than from a third-party page. The root cause is the absence of CSRF token validation - a synchronizer token or double-submit cookie mechanism - on one or more functions within the SourceCodester CET Automated Grading System. Browsers automatically attach session cookies to all same-origin requests, so a forged form or fetch request on an attacker-controlled page can be submitted with the victim's credentials without the victim's knowledge. No CPE strings were included in the provided intelligence data, so the exact affected URI or module cannot be confirmed beyond 'an unknown function' as stated by VulDB. The product is a PHP-based academic grading application distributed via SourceCodester (sourcecodester.com), a platform known for hosting open-source student projects with historically inconsistent security practices.
RemediationAI
No vendor-released patch has been identified at time of analysis - the VulDB submission references only the SourceCodester homepage with no dedicated security advisory or fix release. Developers should implement CSRF synchronizer tokens on all state-changing HTTP endpoints; frameworks like Laravel (if used) offer built-in CSRF middleware that can be enabled globally. As a compensating control, setting the session cookie attribute SameSite=Strict prevents cross-site request submission entirely but may break certain legitimate cross-site navigation flows - SameSite=Lax is a less disruptive alternative. Administrators should also consider restricting the application to internal networks or VPN access, which eliminates the remote attack vector (AV:N) by making the application unreachable from attacker-controlled pages on the public internet. The public PoC advisory is available at https://github.com/NARKHEDE-VAIBHAV/poc/blob/main/CVE-2026-9582-Cross-Site-Request-Forgery/Advisory.md and should be reviewed to understand the specific endpoint targeted.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31996
GHSA-5m37-p93x-2rf8