CVE-2026-1154 - Vulnerability Details

- SourceCodester E-Learning System Lesson index.php cross site scripting

Description

A flaw has been found in SourceCodester E-Learning System 1.0. This impacts an unknown function of the file /admin/modules/lesson/index.php of the component Lesson Module Handler. Executing a manipulation of the argument Title/Description can lead to basic cross site scripting. The attack can be executed remotely. The exploit has been published and may be used.

Published: 2026-01-19

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw exists in the Lesson Module Handler of SourceCodester E‑Learning System 1.0, specifically in /admin/modules/lesson/index.php. The vulnerability allows an attacker to supply malicious content in the Title or Description parameters, causing a basic cross‑site scripting (XSS) response that is rendered to users who view the lesson page. The attack can be performed remotely by sending the crafted input to the web application, and an exploit has already been published and may be in use.

Affected Systems

The affected product is SourceCodester E‑Learning System version 1.0. The vulnerability resides in the admin lesson index handler, which is part of the Lesson Module Handler component. Any deployment of this version that exposes the admin lesson interface is potentially vulnerable.

Risk and Exploitability

The CVSS base score of 5.3 indicates a moderate severity; the EPSS score of less than 1% suggests a low but non‑zero probability of exploitation at this time. The entry is not listed in the CISA KEV catalog. The issue is exploitable remotely via the web front‑end, and a successful XSS attack could enable session hijacking, defacement, or phishing attacks against users who load the compromised lesson page. No additional prerequisites beyond access to the book's administrative interface are required beyond sending the malicious payload.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

SourceCodester

E-Learning System

affected

Version	Status	Constraints
`1.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:janobe:e-learning_system:1.0:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Sourcecodester	Responsive E-learning System	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the vendor‑issued patch or upgrade to a version of SourceCodester E‑Learning System that resolves the XSS issue.
If a patch is not yet available, sanitize or escape all user‑supplied Title and Description inputs before rendering them in the lesson page to prevent script execution.
Configure a Content Security Policy that restricts executable scripts to trusted sources and disable inline scripts to mitigate the impact of any remaining XSS inputs.

Generated by OpenCVE AI on April 18, 2026 at 05:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00039.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://gist.github.com/0xCaptainFahim/dada955760b424a851de12bccadee997
https://vuldb.com/?ctiid.341747
https://vuldb.com/?id.341747
https://vuldb.com/?submit.735855
https://www.sourcecodester.com/

History

Fri, 06 Feb 2026 19:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Janobe Janobe e-learning System
CPEs		cpe:2.3:a:janobe:e-learning_system:1.0:::::::*
Vendors & Products		Janobe Janobe e-learning System

Tue, 20 Jan 2026 22:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 20 Jan 2026 08:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Sourcecodester Sourcecodester responsive E-learning System
Vendors & Products		Sourcecodester Sourcecodester responsive E-learning System

Mon, 19 Jan 2026 13:00:00 +0000

Type	Values Removed	Values Added
Description		A flaw has been found in SourceCodester E-Learning System 1.0. This impacts an unknown function of the file /admin/modules/lesson/index.php of the component Lesson Module Handler. Executing a manipulation of the argument Title/Description can lead to basic cross site scripting. The attack can be executed remotely. The exploit has been published and may be used.
Title		SourceCodester E-Learning System Lesson index.php cross site scripting
Weaknesses		CWE-74 CWE-80
References		https://gist.github.com/0xCaptainFahim/dada955760b424a851de12bccadee997 https://vuldb.com/?ctiid.341747 https://vuldb.com/?id.341747 https://vuldb.com/?submit.735855 https://www.sourcecodester.com/
Metrics		cvssV2_0 `{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Janobe E-learning System

Sourcecodester Responsive E-learning System

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-01-19T12:32:06.674Z

Updated: 2026-02-23T08:45:51.524Z

Reserved: 2026-01-18T14:05:08.785Z

Link: CVE-2026-1154

Vulnrichment

Updated: 2026-01-20T21:30:40.893Z

NVD

Status : Analyzed

Published: 2026-01-19T13:16:20.177

Modified: 2026-02-06T19:37:55.050

Link: CVE-2026-1154

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T05:15:15Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object