CVE-2026-10169 - Vulnerability Details

- OUSL-GROUP-BrinaryBrains School Student Management System Forgot Password Endpoint Login.php ajax_forgot_password password recovery

Description

A vulnerability was detected in OUSL-GROUP-BrinaryBrains School Student Management System up to 1e70e5ad1125b86dca4ee086eb6bb121f17708b6. Affected by this vulnerability is the function ajax_forgot_password of the file application/controllers/Login.php of the component Forgot Password Endpoint. The manipulation of the argument email results in weak password recovery. The attack can be launched remotely. This attack is characterized by high complexity. The exploitation appears to be difficult. The exploit is now public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet.

Published: 2026-05-31

Score: 6.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability occurs in the ajax_forgot_password function of the Login controller; manipulating the email parameter results in a weak password recovery process. The flaw is classified as CWE-640, an insecure password recovery mechanism. The likely attack vector is remote via the forgot‑password endpoint, as the description explicitly states the attack can be launched remotely and the exploitation appears to be difficult.

Affected Systems

The affected product is the OUSL‑GROUP‑BrinaryBrains School Student Management System. No specific version numbers are available because the product does not use versioning; however, any instance running the vulnerable commit up to the hash 1e70e5ad1125b86dca4ee086eb6bb121f17708b6 is susceptible.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate severity. EPSS is not available and the vulnerability is not listed in CISA KEV. The attack is characterized by high complexity and is reported as difficult to exploit, but the exploit is public, so systems exposing the forgot‑password endpoint to unauthenticated users face a moderate risk of compromise.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

OUSL-GROUP-BrinaryBrains

School Student Management System

affected

Version	Status	Constraints
`1e70e5ad1125b86dca4ee086eb6bb121f17708b6`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Disable or secure the password‑reset endpoint until a fixed version is released, ensuring it is only accessible after proper authentication or email verification.
Implement strict validation and sanitization for the email parameter in the password‑reset logic to prevent manipulation.
Throttle or lock out repeated password‑reset attempts, and enable logging to detect suspicious activity.

Generated by OpenCVE AI on May 31, 2026 at 07:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity High

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00028.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/OUSL-GROUP-BrinaryBrains/School-Student-Management-System/issues/26
https://vuldb.com/submit/819395
https://vuldb.com/vuln/367423
https://vuldb.com/vuln/367423/cti

History

Sun, 31 May 2026 05:15:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was detected in OUSL-GROUP-BrinaryBrains School Student Management System up to 1e70e5ad1125b86dca4ee086eb6bb121f17708b6. Affected by this vulnerability is the function ajax_forgot_password of the file application/controllers/Login.php of the component Forgot Password Endpoint. The manipulation of the argument email results in weak password recovery. The attack can be launched remotely. This attack is characterized by high complexity. The exploitation appears to be difficult. The exploit is now public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet.
Title		OUSL-GROUP-BrinaryBrains School Student Management System Forgot Password Endpoint Login.php ajax_forgot_password password recovery
First Time appeared		Ousl-group-brinarybrains Ousl-group-brinarybrains school Student Management System
Weaknesses		CWE-640
CPEs		cpe:2.3:a:ousl-group-brinarybrains:school_student_management_system::::::::
Vendors & Products		Ousl-group-brinarybrains Ousl-group-brinarybrains school Student Management System
References		https://github.com/OUSL-GROUP-BrinaryBrains/School-Student-Management-System/issues/26 https://vuldb.com/submit/819395 https://vuldb.com/vuln/367423 https://vuldb.com/vuln/367423/cti
Metrics		cvssV2_0 `{'score': 2.6, 'vector': 'AV:N/AC:H/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 3.7, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Ousl-group-brinarybrains School Student Management System

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-05-31T04:45:06.943Z

Updated: 2026-05-31T04:45:06.943Z

Reserved: 2026-05-30T09:31:06.603Z

Link: CVE-2026-10169

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-31T05:16:24.190

Modified: 2026-05-31T05:16:24.190

Link: CVE-2026-10169

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-31T07:30:06Z

Weaknesses

CWE-640

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object