CVE-2026-9484 - Vulnerability Details

- SourceCodester Student Grades Management System classroom.php removeStudentFromClassroom improper authorization

Description

A vulnerability was determined in SourceCodester Student Grades Management System 1.0. Affected by this vulnerability is the function getClassroomStudents/removeStudentFromClassroom of the file classroom.php. Executing a manipulation of the argument classroom_id can lead to improper authorization. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized.

Published: 2026-05-25

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The source code of the Student Grades Management System includes a function named removeStudentFromClassroom in the file classroom.php. By manipulating the classroom_id argument that the function accepts, an attacker can invoke the removal of a student from a classroom that they do not have permission to manage. This improper authorization flaw could lead to unauthorized data modification and loss of record integrity. The vulnerability is exploitable remotely and has been publicly disclosed. The weakness maps to CWE‑285 (Improper Authorization) and CWE‑266 (Weak Password Requirements).

Affected Systems

This flaw affects SourceCodester Student Grades Management System, version 1.0, which is a web‑based classroom management application.

Risk and Exploitability

The associated CVSS score of 5.3 marks the vulnerability as medium severity. The EPSS score is not available, and the flaw is not listed in the CISA KEV catalog, suggesting a lower likelihood of active exploitation in the wild. However, because the flaw can be triggered via a simple HTTP request that modifies a classroom_id value, the attack vector is remote and does not require privileged credentials. If an attacker can gain access to a user’s session or craft a request on behalf of a user, they could remove students from classrooms, potentially compromising data integrity and trust in the system.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

SourceCodester

Student Grades Management System

affected

Version	Status	Constraints
`1.0`	affected	—

No data.

Vendor Product Confidence Versions

Sourcecodester

Student Grades Management System

95%

Version	Status	Scheme	Platform
`1.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply any vendor patch or upgrade to a version where proper authorization checks have been implemented.
Validate that the requester owns the classroom before allowing a student to be removed; enforce strict access controls on the removeStudentFromClassroom endpoint.
Require CSRF protection and limit the HTTP methods that can trigger student removal to mitigate automated exploitation.

Generated by OpenCVE AI on May 25, 2026 at 20:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00048.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/Jack-MRJ/Student-Grades-Management-System-Vulnerability-Report
https://vuldb.com/submit/814038
https://vuldb.com/submit/814039
https://vuldb.com/submit/814042
https://vuldb.com/vuln/365465
https://vuldb.com/vuln/365465/cti
https://www.sourcecodester.com/

History

Wed, 27 May 2026 19:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 25 May 2026 19:45:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was determined in SourceCodester Student Grades Management System 1.0. Affected by this vulnerability is the function getClassroomStudents/removeStudentFromClassroom of the file classroom.php. Executing a manipulation of the argument classroom_id can lead to improper authorization. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized.
Title		SourceCodester Student Grades Management System classroom.php removeStudentFromClassroom improper authorization
First Time appeared		Sourcecodester Sourcecodester student Grades Management System
Weaknesses		CWE-266 CWE-285
CPEs		cpe:2.3:a:sourcecodester:student_grades_management_system::::::::
Vendors & Products		Sourcecodester Sourcecodester student Grades Management System
References		https://github.com/Jack-MRJ/Student-Grades-Management-System-Vulnerability-Report https://vuldb.com/submit/814038 https://vuldb.com/submit/814039 https://vuldb.com/submit/814042 https://vuldb.com/vuln/365465 https://vuldb.com/vuln/365465/cti https://www.sourcecodester.com/
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Sourcecodester Student Grades Management System

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-05-25T19:00:11.404Z

Updated: 2026-05-27T18:34:21.728Z

Reserved: 2026-05-24T09:26:21.424Z

Link: CVE-2026-9484

Vulnrichment

Updated: 2026-05-27T18:34:15.799Z

NVD

Status : Deferred

Published: 2026-05-25T20:16:37.670

Modified: 2026-05-26T19:37:00.120

Link: CVE-2026-9484

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-25T21:00:11Z

Weaknesses

CWE-266
Incorrect Privilege Assignment
CWE-285
Improper Authorization

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object