CVE-2026-10168 - Vulnerability Details

- OUSL-GROUP-BrinaryBrains School Student Management System Parents.php marks resource injection

Description

A security vulnerability has been detected in OUSL-GROUP-BrinaryBrains School Student Management System up to 1e70e5ad1125b86dca4ee086eb6bb121f17708b6. Affected is the function marks of the file application/controllers/Parents.php. The manipulation of the argument param1 leads to improper control of resource identifiers. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.

Published: 2026-05-31

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the marks function of the Parents controller. By supplying a crafted value in the param1 argument, an attacker can override the intended resource identifier, leading to unauthorized access or modification of student mark data. This flaw falls under improper control of resource identifiers (CWE‑99) and can compromise the confidentiality and integrity of the system by allowing users to read or update marks that they should not have permission to access.

Affected Systems

The affected product is the OUSL‑GROUP‑BrinaryBrains School Student Management System. All releases up to the commit 1e70e5ad1125b86dca4ee086eb6bb121f17708b6 are vulnerable. No patched releases have been published as of the last update.

Risk and Exploitability

The CVSS base score of 5.3 indicates moderate severity. The exploit is reported publicly and can be triggered remotely, but the EPSS score is not available, making precise exploitation likelihood uncertain. The vulnerability is not listed in the CISA KEV catalog, but a direct resource‑identifier injection attack could still be employed, posing a realistic risk to any organization using the affected system without a fix.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

OUSL-GROUP-BrinaryBrains

School Student Management System

affected

Version	Status	Constraints
`1e70e5ad1125b86dca4ee086eb6bb121f17708b6`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Contact the vendor to obtain a patch or a verified fix.
Restrict or disable remote access to the Marks endpoint in Parents.php until a fix is deployed.
Implement strict input validation or whitelist checks on the param1 argument to ensure only allowed resource identifiers are processed.

Generated by OpenCVE AI on May 31, 2026 at 06:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00041.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/OUSL-GROUP-BrinaryBrains/School-Student-Management-System/issues/25
https://vuldb.com/submit/819161
https://vuldb.com/vuln/367422
https://vuldb.com/vuln/367422/cti

History

Sun, 31 May 2026 05:15:00 +0000

Type	Values Removed	Values Added
Description		A security vulnerability has been detected in OUSL-GROUP-BrinaryBrains School Student Management System up to 1e70e5ad1125b86dca4ee086eb6bb121f17708b6. Affected is the function marks of the file application/controllers/Parents.php. The manipulation of the argument param1 leads to improper control of resource identifiers. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.
Title		OUSL-GROUP-BrinaryBrains School Student Management System Parents.php marks resource injection
First Time appeared		Ousl-group-brinarybrains Ousl-group-brinarybrains school Student Management System
Weaknesses		CWE-99
CPEs		cpe:2.3:a:ousl-group-brinarybrains:school_student_management_system::::::::
Vendors & Products		Ousl-group-brinarybrains Ousl-group-brinarybrains school Student Management System
References		https://github.com/OUSL-GROUP-BrinaryBrains/School-Student-Management-System/issues/25 https://vuldb.com/submit/819161 https://vuldb.com/vuln/367422 https://vuldb.com/vuln/367422/cti
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Ousl-group-brinarybrains School Student Management System

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-05-31T04:00:11.447Z

Updated: 2026-05-31T04:00:11.447Z

Reserved: 2026-05-30T09:31:03.753Z

Link: CVE-2026-10168

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-31T05:16:24.033

Modified: 2026-05-31T05:16:24.033

Link: CVE-2026-10168

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-31T06:30:06Z

Weaknesses

CWE-99

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object