Description
A flaw has been found in SourceCodester Gas Agency Management System 1.0. This issue affects some unknown processing of the file /gasmark/php_action/createUser.php. Executing a manipulation can lead to improper access controls. It is possible to launch the attack remotely. The exploit has been published and may be used.
Published: 2026-02-06
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Improper Access Control
Action: Patch or Restrict
AI Analysis

Impact

A flaw in the createUser.php script of SourceCodester Gas Agency Management System 1.0 allows an attacker to manipulate inputs and bypass the system’s access controls. This improper access control (CWE‑284) combined with incorrect permission assignment (CWE‑266) means that users who should not be able to create or modify accounts could potentially instantiate privileged accounts or alter existing ones, compromising both confidentiality and integrity of the system. The vulnerability can be exploited remotely via crafted HTTP requests, potentially giving an attacker system‑wide control over user accounts.

Affected Systems

The vulnerability affects the SourceCodester Gas Agency Management System version 1.0, specifically the file at /gasmark/php_action/createUser.php. No other product or version information is listed.

Risk and Exploitability

The CVSS score of 5.3 classifies the issue as medium severity, but the EPSS score of less than 1% indicates a low probability of exploitation at this time. The vulnerability is not present in the CISA KEV catalog. Attackers can exploit this remotely by targeting the public createUser.php endpoint, providing crafted parameters that the application fails to properly authenticate or authorize. The exploitation path therefore requires an open HTTP interface and the ability to modify input payloads to bypass access checks.

Generated by OpenCVE AI on April 18, 2026 at 13:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply an available vendor patch or update to the latest release of SourceCodester Gas Agency Management System that fixes the createUser.php access control flaw.
  • If a patch is not available, limit the createUser.php endpoint to authenticated users only, enforcing role‐based access checks or moving the script into a protected directory behind authentication.
  • Add server‑side validation to ensure the role parameter supplied during account creation is limited to pre‑defined values and cannot be overridden by the requestor unless the requester holds system administrator privileges.
  • Monitor account‑creation logs for abnormal activity and block IP addresses that repeatedly attempt unauthorized account creation attempts.

Generated by OpenCVE AI on April 18, 2026 at 13:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Mayurik
Mayurik gas Agency Management System
CPEs cpe:2.3:a:mayurik:gas_agency_management_system:1.0:*:*:*:*:*:*:*
Vendors & Products Mayurik
Mayurik gas Agency Management System

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Sourcecodester
Sourcecodester gas Agency Management System
Vendors & Products Sourcecodester
Sourcecodester gas Agency Management System

Fri, 06 Feb 2026 07:45:00 +0000

Type Values Removed Values Added
Description A flaw has been found in SourceCodester Gas Agency Management System 1.0. This issue affects some unknown processing of the file /gasmark/php_action/createUser.php. Executing a manipulation can lead to improper access controls. It is possible to launch the attack remotely. The exploit has been published and may be used.
Title SourceCodester Gas Agency Management System createUser.php access control
Weaknesses CWE-266
CWE-284
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Mayurik Gas Agency Management System
Sourcecodester Gas Agency Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T09:22:40.762Z

Reserved: 2026-02-05T19:21:49.408Z

Link: CVE-2026-2009

cve-icon Vulnrichment

Updated: 2026-02-12T15:06:16.321Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-06T08:15:53.863

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-2009

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T13:45:45Z

Weaknesses