CVE-2026-9485 SourceCodester CVE debrief

Who should care

Organizations running SourceCodester Student Grades Management System 1.0, particularly educational institutions using this PHP-based application for student record management. Security teams responsible for web application security in environments with legacy PHP educational software.

Technical summary

The vulnerability exists in the students.php component of SourceCodester Student Grades Management System 1.0. The 'Remarks' parameter accepts unsanitized input that is rendered in the browser without proper encoding, enabling reflected or stored XSS attacks. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N) indicates network accessibility, low attack complexity, no attack prerequisites, low privileges required, user interaction required, with confidentiality none, integrity low, and availability none. The presence of both CWE-79 and CWE-94 classifications suggests potential for both script injection and broader code injection vectors.

Defensive priority

LOW

Recommended defensive actions

• Review and sanitize all user input in the students.php file, particularly the 'Remarks' parameter, implementing proper output encoding for HTML context
• Apply Content Security Policy (CSP) headers to mitigate impact of potential XSS vulnerabilities
• Conduct code review of entire Student Grades Management System codebase for similar input validation weaknesses
• Monitor for unauthorized access attempts to students.php endpoint in web server logs
• Consider upgrading to a maintained student information system with active security support if SourceCodester product is end-of-life

Evidence notes

Vulnerability identified in students.php via Remarks parameter manipulation. CVSS 4.0 vector confirms network attack vector with low privileges required and user interaction needed. CWE-79 (XSS) and CWE-94 (Code Injection) classified by VulDB as CNA. NVD status marked 'Deferred' indicating pending analysis.

Official resources