PatchSiren cyber security CVE debrief
CVE-2026-9484 SourceCodester CVE debrief
A low-severity improper authorization vulnerability exists in SourceCodester Student Grades Management System 1.0, specifically within the `getClassroomStudents` and `removeStudentFromClassroom` functions of `classroom.php`. The flaw stems from insufficient validation of the `classroom_id` parameter, allowing an authenticated attacker with low privileges to manipulate classroom identifiers and potentially access or modify student records outside their authorized scope. The vulnerability is remotely exploitable and has been publicly disclosed, though no active exploitation in ransomware campaigns has been confirmed. The CVSS 4.0 vector indicates network attack vector with low attack complexity, requiring low privileges but no user interaction, with limited impacts to confidentiality, integrity, and availability.
- Vendor
- SourceCodester
- Product
- Student Grades Management System
- CVSS
- LOW 2.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-25
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-25
- Advisory updated
- 2026-05-26
Who should care
Organizations operating SourceCodester Student Grades Management System 1.0, particularly educational institutions using this PHP-based application for grade management. Security teams responsible for web application security and authorization control validation should prioritize review.
Technical summary
The vulnerability resides in classroom.php where the classroom_id parameter is not properly validated against the requesting user's authorization scope. Both getClassroomStudents and removeStudentFromClassroom functions accept user-supplied classroom_id values without verifying ownership or access rights, enabling authenticated users to enumerate or modify classroom data belonging to other users. The CVSS 4.0 score of 2.1 (LOW) reflects the requirement for authenticated access and limited impact scope, though the public availability of exploit details increases practical risk.
Defensive priority
low
Recommended defensive actions
- Implement strict authorization checks in classroom.php to validate that the authenticated user has permission to access or modify the specified classroom_id before executing getClassroomStudents or removeStudentFromClass
- Apply input validation and sanitization for all classroom_id parameters, ensuring they correspond to classrooms where the requesting user has legitimate access
- Review and enforce role-based access controls (RBAC) throughout the Student Grades Management System to prevent horizontal privilege escalation
- Consider removing or restricting access to the affected application in production environments until patches are available, given the public disclosure of exploit details
- Monitor for unauthorized access attempts to classroom-related endpoints through application logs and implement alerting for anomalous classroom_id values
Evidence notes
The vulnerability description identifies specific functions (`getClassroomStudents`, `removeStudentFromClassroom`) and file (`classroom.php`) affected, with the root cause being manipulation of the `classroom_id` argument leading to improper authorization (CWE-266, CWE-285). CVSS 4.0 scoring from the CNA indicates limited impacts across security dimensions. The vendor attribution to SourceCodester is derived from reference domain analysis with low confidence, requiring review.
Official resources
Public disclosure occurred on 2026-05-25 with subsequent modification on 2026-05-26. The vulnerability was reported through VulDB and includes a GitHub-hosted vulnerability report. No CISA KEV listing is present.