Skip to content
Threat Feed
high advisory

CVE-2026-14778: Improper Authorization in SourceCodester Onlne Examination & Learning Management System

A high-severity improper authorization vulnerability (CVE-2026-14778) exists in SourceCodester Onlne Examination & Learning Management System version 1.0, allowing remote attackers to bypass authorization checks by manipulating the `student_id`, `schedule_id`, or `action` arguments in `/ajax_enroll.php`, potentially leading to unauthorized access or actions.

The National Vulnerability Database (NVD) has published a high-severity vulnerability, CVE-2026-14778, affecting SourceCodester Onlne Examination & Learning Management System version 1.0. This flaw resides in an unspecified part of the /ajax_enroll.php component, specifically within the Enrollment Management functionality. Attackers can exploit this by manipulating the student_id, schedule_id, or action arguments, which leads to improper authorization. This allows remote attackers to bypass intended access controls and perform unauthorized actions within the system. The vulnerability has been publicly disclosed, increasing the risk of widespread exploitation. Defenders should prioritize patching and monitoring for exploitation attempts, as unauthorized access could lead to significant data breaches or system compromise.

Attack Chain

  1. Initial Access / Reconnaissance: An unauthenticated remote attacker identifies a SourceCodester Onlne Examination & Learning Management System 1.0 instance, potentially by scanning for known web application paths.
  2. Vulnerability Identification: The attacker targets the /ajax_enroll.php endpoint, recognizing its role in enrollment management.
  3. Parameter Manipulation: The attacker crafts HTTP POST or GET requests to /ajax_enroll.php, specifically manipulating the student_id, schedule_id, or action parameters with unexpected or malicious values.
  4. Authorization Bypass: The vulnerable system processes these manipulated parameters without adequate authorization checks, failing to properly validate the attacker's permissions or the legitimacy of the request.
  5. Unauthorized Action: Due to the improper authorization, the system executes the requested action as if the attacker possessed legitimate privileges (e.g., enrolling a student, modifying a schedule, or other administrative functions).
  6. Impact on System Integrity/Confidentiality: The attacker successfully gains unauthorized access to sensitive functionalities or data, leading to data modification, unauthorized data exposure, or full system compromise.

Impact

The successful exploitation of CVE-2026-14778 could lead to significant unauthorized access and data integrity issues. Attackers could enroll or unenroll students, modify examination schedules, or alter learning materials without legitimate credentials. This could disrupt educational operations, compromise the integrity of academic records, or expose sensitive student and course data. While no specific victim count or targeted sectors are currently identified, any organization using SourceCodester Onlne Examination & Learning Management System 1.0 is at risk.

Recommendation

  1. Apply any available patches or vendor advisories immediately for SourceCodester Onlne Examination & Learning Management System 1.0 to address CVE-2026-14778.
  2. Enable comprehensive webserver access logging to monitor for suspicious requests to /ajax_enroll.php that manipulate parameters related to student_id, schedule_id, or action.
  3. Implement Web Application Firewall (WAF) rules to detect and block anomalous requests targeting the student_id, schedule_id, or action parameters within requests to /ajax_enroll.php.