CVE-2026-11519 - Vulnerability Details

- SourceCodester Inventory System Account Creation users_handler.php improper authorization

Description

A security flaw has been discovered in SourceCodester Inventory System 1.0. Affected by this vulnerability is an unknown functionality of the file /Product_Inventory/api/users_handler.php of the component Account Creation Handler. The manipulation of the argument ROLE results in improper authorization. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks.

Published: 2026-06-08

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An application-level flaw in SourceCodester Inventory System allows an attacker to manipulate the ROLE argument in the users_handler.php script, leading to improper authorization. The vulnerability permits the creation of user accounts with roles that may not be authorized, which can potentially provide elevated access depending on how the system enforces role permissions. This weakness is rooted in incorrect role validation (CWE-266, CWE-285). The likely impact—creating accounts with higher privileges—is inferred from the ability to manipulate role values; the exact privilege level depends on the system's role enforcement.

Affected Systems

SourceCodester Inventory System version 1.0 contains a vulnerable component located at /Product_Inventory/api/users_handler.php. The vulnerability affects the account‑creation handler and may allow manipulation of role assignments during user registration.

Risk and Exploitability

The CVSS score of 5.3 denotes moderate severity, and the description explicitly states the attack can be performed remotely. No EPSS score is available and the vulnerability is not listed in CISA’s KEV catalog. However, an exploit has been publicly released, indicating that attackers may already leverage it. The vulnerability allows crafting requests to the account‑creation endpoint with arbitrary ROLE values, which could create unauthorized accounts with elevated roles.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

SourceCodester

Inventory System

affected

Version	Status	Constraints
`1.0`	affected	—

No data.

Vendor Product Confidence Versions

Sourcecodester

Inventory System

95%

Version	Status	Scheme	Platform
`1.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the vendor‑supplied patch or upgrade to a fixed version of SourceCodester Inventory System.
Re‑implement role validation on the server side to ensure that only authorized roles can be assigned; reject any ROLE values that are not explicitly allowed.
Limit or disable the public account‑creation endpoint, requiring staff approval or elevated privileges to create new users.
Apply a web‑application firewall or input filtering rule to block or raise alerts for requests that manipulate the ROLE parameter.
Audit access logs for suspicious user‑creation events and adjust permissions if unauthorized accounts are discovered.

Generated by OpenCVE AI on June 8, 2026 at 15:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00036.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://vuldb.com/cve/CVE-2026-11519
https://vuldb.com/submit/836392
https://vuldb.com/vuln/369139
https://vuldb.com/vuln/369139/cti
https://www.sourcecodester.com/

History

Tue, 09 Jun 2026 16:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 08 Jun 2026 14:30:00 +0000

Type	Values Removed	Values Added
Description		A security flaw has been discovered in SourceCodester Inventory System 1.0. Affected by this vulnerability is an unknown functionality of the file /Product_Inventory/api/users_handler.php of the component Account Creation Handler. The manipulation of the argument ROLE results in improper authorization. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks.
Title		SourceCodester Inventory System Account Creation users_handler.php improper authorization
First Time appeared		Sourcecodester Sourcecodester inventory System
Weaknesses		CWE-266 CWE-285
CPEs		cpe:2.3:a:sourcecodester:inventory_system::::::::
Vendors & Products		Sourcecodester Sourcecodester inventory System
References		https://vuldb.com/cve/CVE-2026-11519 https://vuldb.com/submit/836392 https://vuldb.com/vuln/369139 https://vuldb.com/vuln/369139/cti https://www.sourcecodester.com/
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Sourcecodester Inventory System

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-06-08T13:45:10.712Z

Updated: 2026-06-09T15:23:03.464Z

Reserved: 2026-06-07T16:01:22.165Z

Link: CVE-2026-11519

Vulnrichment

Updated: 2026-06-09T15:22:30.900Z

NVD

Status : Deferred

Published: 2026-06-08T15:16:43.610

Modified: 2026-06-09T01:34:33.987

Link: CVE-2026-11519

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-08T16:30:06Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object