Skip to main content

Student Grades Management System EUVD-2026-31722

| CVE-2026-9484 LOW
Improper Authorization (CWE-285)
2026-05-25 VulDB GHSA-vrf4-h9f2-qjfw
PHP Authentication Bypass Student Grades Management System
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 08, 2026 - 13:28 vuln.today
Severity Changed
May 26, 2026 - 19:37 NVD
MEDIUM LOW
CVSS changed
May 26, 2026 - 19:37 NVD
6.3 (MEDIUM) 2.1 (LOW)

DescriptionCVE.org

A vulnerability was determined in SourceCodester Student Grades Management System 1.0. Affected by this vulnerability is the function getClassroomStudents/removeStudentFromClassroom of the file classroom.php. Executing a manipulation of the argument classroom_id can lead to improper authorization. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized.

AnalysisAI

Improper authorization in SourceCodester Student Grades Management System 1.0 allows authenticated remote attackers to manipulate the classroom_id parameter within classroom.php to access or modify classroom enrollment data beyond their authorized scope. The vulnerability affects the getClassroomStudents and removeStudentFromClassroom functions, enabling unauthorized listing of enrolled students or removal of students from classrooms the attacker does not administer. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain valid application account
Delivery
Authenticate to Student Grades Management System
Exploit
Craft HTTP request with arbitrary classroom_id
Execution
Submit to classroom.php endpoint
Persist
Bypass object-level authorization check
Impact
Enumerate unauthorized student rosters or remove students from targeted classroom
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold a valid authenticated session in the Student Grades Management System (CVSS PR:L - low privileges), meaning a registered user account is a hard prerequisite. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 2.1 (LOW) is consistent with the limited scope: AV:N confirms network accessibility, AC:L indicates no special conditions, PR:L confirms a valid (low-privileged) account is required, and VC:L/VI:L/VA:L indicate only limited confidentiality, integrity, and availability impact with no scope change (SC:N/SI:N/SA:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated student or low-privileged user logs into the Student Grades Management System and sends a crafted HTTP request to classroom.php, substituting arbitrary classroom_id values to invoke getClassroomStudents and enumerate the student roster of classrooms they are not enrolled in, or calls removeStudentFromClassroom to illicitly remove students from those classrooms. A publicly available exploit repository at https://github.com/Jack-MRJ/Student-Grades-Management-System-Vulnerability-Report demonstrates the exact request format, lowering the barrier for exploitation by unsophisticated attackers with valid credentials.
Remediation No vendor-released patch has been identified at time of analysis; the SourceCodester project has not published a security advisory or fixed release. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49952 CRITICAL POC
9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
CVE-2026-49954 HIGH POC
8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
CVE-2026-27053 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
CVE-2026-49104 CRITICAL
9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

Share

EUVD-2026-31722 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy