CVE-2026-1141 - Vulnerability Details

- PHPGurukul News Portal Add Sub-Admin add-subadmins.php improper authorization

Description

A vulnerability was identified in PHPGurukul News Portal 1.0. The affected element is an unknown function of the file /admin/add-subadmins.php of the component Add Sub-Admin Page. Such manipulation leads to improper authorization. The attack can be launched remotely. The exploit is publicly available and might be used.

Published: 2026-01-19

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

This vulnerability arises in the PHPGurukul News Portal 1.0, specifically affecting the add‑subadmins.php handler. The function is missing proper authorization checks, allowing any authenticated or unauthenticated user to create or modify sub‑admin accounts. The flaw represents Broken Authorization (CWE‑266 and CWE‑285) and could be used to elevate privileges, compromising the confidentiality and integrity of the system.

Affected Systems

The affected product is PHPGurukul News Portal version 1.0. According to the vendor registry and CPE data, only this version is presently affected; no other releases have been identified as vulnerable.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score of <1% suggests a low likelihood of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw via remote web requests to the add‑subadmins.php script, potentially gaining sub‑admin or greater privileges. The available information does not indicate denial of service or remote code execution capabilities, but the continuation of the vulnerability could lead to unauthorized account creation and privilege escalation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

PHPGurukul

News Portal

affected

Version	Status	Constraints
`1.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:phpgurukul:news_portal:1.0:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Phpgurukul	News Portal	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the PHPGurukul News Portal to the latest patched version that fixes the improper authorization flaw.
If an upgrade is unavailable, implement additional application‑level checks on /admin/add-subadmins.php to ensure only users with a super‑admin role can execute the function.
Restrict access to the /admin/add-subadmins.php page at the network level, allowing only trusted IP addresses or VPN connections.
Enable robust logging of sub‑admin creation and alteration events, and monitor for anomalous activity to detect exploitation attempts.

Generated by OpenCVE AI on April 18, 2026 at 05:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00081.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/Asim-QAZi/BrokenAccessControl-News-Portal-Project-in-PHP-and-MySQL-in-PHPGurukul
https://phpgurukul.com/
https://vuldb.com/?ctiid.341733
https://vuldb.com/?id.341733
https://vuldb.com/?submit.735483
https://vuldb.com/?submit.736668

History

Mon, 23 Feb 2026 08:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:phpgurukul:news_portal::::::::
References		https://vuldb.com/?submit.736668

Tue, 27 Jan 2026 20:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:phpgurukul:news_portal:1.0:::::::*

Tue, 20 Jan 2026 22:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 20 Jan 2026 08:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Phpgurukul Phpgurukul news Portal
Vendors & Products		Phpgurukul Phpgurukul news Portal

Mon, 19 Jan 2026 06:30:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was identified in PHPGurukul News Portal 1.0. The affected element is an unknown function of the file /admin/add-subadmins.php of the component Add Sub-Admin Page. Such manipulation leads to improper authorization. The attack can be launched remotely. The exploit is publicly available and might be used.
Title		PHPGurukul News Portal Add Sub-Admin add-subadmins.php improper authorization
Weaknesses		CWE-266 CWE-285
References		https://github.com/Asim-QAZi/BrokenAccessControl-News-Portal-Project-in-PHP-and-MySQL-in-PHPGurukul https://phpgurukul.com/ https://vuldb.com/?ctiid.341733 https://vuldb.com/?id.341733 https://vuldb.com/?submit.735483
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Phpgurukul News Portal

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-01-19T06:02:07.574Z

Updated: 2026-02-23T08:42:58.178Z

Reserved: 2026-01-18T07:36:36.414Z

Link: CVE-2026-1141

Vulnrichment

Updated: 2026-01-20T21:26:49.066Z

NVD

Status : Modified

Published: 2026-01-19T07:16:22.027

Modified: 2026-02-23T09:16:45.457

Link: CVE-2026-1141

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T05:30:25Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object