CVE-2026-10168 OUSL-GROUP-BrinaryBrains CVE debrief

Who should care

Organizations running the OUSL-GROUP-BrinaryBrains School Student Management System; security teams monitoring PHP/CodeIgniter applications with rolling-release update models; developers responsible for access control in student information systems

Technical summary

The `marks` function in `application/controllers/Parents.php` fails to properly control access to resource identifiers supplied through the `param1` argument. A remote attacker with low privileges can manipulate this parameter to access or modify resources belonging to other users or contexts. The application uses a rolling-release deployment model without versioned releases, complicating patch tracking. The vulnerability was reported to the project via GitHub issue #25, but maintainers had not responded as of 2026-05-31. A public exploit exists and may be used in the wild.

Defensive priority

P3

Recommended defensive actions

• Review and restrict access controls on the `marks` endpoint in `application/controllers/Parents.php`
• Validate and sanitize the `param1` argument against an allowlist of authorized resource identifiers
• Implement indirect object references or session-bound tokens to prevent direct resource identifier manipulation
• Monitor application logs for unauthorized access patterns to the `marks` function
• Apply input validation and output encoding consistent with OWASP Cheat Sheet guidelines
• Engage with the project maintainers via the reported GitHub issue to coordinate remediation
• Consider web application firewall (WAF) rules to detect anomalous `param1` payloads pending code fix

Evidence notes

Vulnerability identified in `Parents.php` `marks` function through `param1` argument manipulation. CWE-99 (Improper Control of Resource Identifiers) assigned by VulDB. CVSS 4.0 vector confirms network attack vector with low privileges required and no user interaction. GitHub issue #25 filed but vendor has not responded.

Official resources