Description
A security flaw has been discovered in SourceCodester Syllabus-Aligned Learning Management and Examination System 1.0. Impacted is an unknown function of the file upload_files.php. Performing a manipulation results in unrestricted upload. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks.
Published: 2026-07-05
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw in the upload_files.php script allows attackers to upload any file type without restriction. This unrestricted upload can be used to place executable or malicious scripts on the server, leading to remote code execution, data exfiltration, or other destructive actions. The weakness is catalogued as Improper Access Control and Unrestricted Upload of Dangerous File.

Affected Systems

SourceCodester Syllabus-Aligned Learning Management and Examination System version 1.0 is affected. The vulnerability resides in an unknown function of upload_files.php.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate risk level. The exploit has been released to the public, so attackers can target the upload endpoint remotely through the web interface. Although the EPSS score is < 1% and the vulnerability is not listed in the KEV catalog, the low probability does not negate the potential for damage; a successful upload of a malicious file can lead to remote code execution and compromise of the underlying web server.

Generated by OpenCVE AI on July 6, 2026 at 17:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Limit accepted file types in upload_files.php to only safe MIME types and enforce strict MIME type validation.
  • Store uploaded files outside the web root or set the directory permissions so that files cannot be executed by the web server.
  • Enable logging and monitoring of the upload directory and deploy web application firewall rules to detect and block suspicious uploads.

Generated by OpenCVE AI on July 6, 2026 at 17:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Jul 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 05 Jul 2026 04:30:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in SourceCodester Syllabus-Aligned Learning Management and Examination System 1.0. Impacted is an unknown function of the file upload_files.php. Performing a manipulation results in unrestricted upload. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks.
Title SourceCodester Syllabus-Aligned Learning Management and Examination System upload_files.php unrestricted upload
First Time appeared Sourcecodester
Sourcecodester syllabus-aligned Learning Management And Examination System
Weaknesses CWE-284
CWE-434
CPEs cpe:2.3:a:sourcecodester:syllabus-aligned_learning_management_and_examination_system:*:*:*:*:*:*:*:*
Vendors & Products Sourcecodester
Sourcecodester syllabus-aligned Learning Management And Examination System
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Sourcecodester Syllabus-aligned Learning Management And Examination System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-07-06T16:50:47.714Z

Reserved: 2026-07-04T05:19:32.932Z

Link: CVE-2026-14698

cve-icon Vulnrichment

Updated: 2026-07-06T16:36:12.700Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-06T18:00:05Z

Weaknesses
  • CWE-284

    Improper Access Control

  • CWE-434

    Unrestricted Upload of File with Dangerous Type