CVE-2026-9483 SourceCodester CVE debrief

Who should care

Organizations running SourceCodester Student Grades Management System 1.0, educational institutions using this software for grade management, security teams monitoring PHP web applications with authorization weaknesses, and developers maintaining legacy student information systems.

Technical summary

The Student Grades Management System 1.0 from SourceCodester contains an improper authorization vulnerability (CWE-266/CWE-285) in grades.php. The student_id parameter lacks proper access control validation, allowing authenticated users with low privileges to manipulate this parameter and potentially access or modify grade records belonging to other students. The vulnerability is remotely exploitable with low attack complexity and requires no user interaction. CVSS 4.0 score of 2.1 reflects limited confidentiality, integrity, and availability impact with proof-of-concept exploit availability.

Defensive priority

low

Recommended defensive actions

• Review and validate authorization controls on the grades.php endpoint, specifically ensuring that student_id parameter values are properly authenticated and authorized against the session user
• Implement server-side access control checks to verify that the requesting user has permission to view or modify the specified student_id
• Consider removing or restricting access to the affected application until a patch is available, given public exploit availability
• Monitor for unauthorized access attempts to grades.php with anomalous student_id values in application logs
• Contact SourceCodester or the original application developer to confirm vendor status and request security patch timeline

Evidence notes

Vulnerability disclosed via Vuldb with public proof-of-concept available on GitHub. NVD status is Deferred. CVSS 4.0 vector indicates network attack vector, low privileges required, and proof-of-concept exploit availability.

Official resources