CVE-2026-1154
Cross-Site Scripting in SourceCodester E-Learning Lesson Module
Publication date: 2026-01-19
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sourcecodester | e-learning_system | to 1.0 (exc) |
| janobe | e-learning_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-80 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to inject malicious HTML or scripts into lesson titles or descriptions, which are then rendered in users' browsers. This can lead to web page defacement, spreading misinformation through content spoofing, and conducting phishing attacks by injecting fake forms or misleading links. The integrity of the system can be compromised, and users may be tricked into revealing sensitive information or performing unintended actions. [1, 2, 3]
Can you explain this vulnerability to me?
CVE-2026-1154 is a Stored HTML Injection vulnerability in SourceCodester E-Learning System 1.0. It occurs because the application does not properly sanitize user input in the Lesson Module's title and description fields. An attacker with access to lesson creation or editing can inject arbitrary HTML tags, which are stored in the backend database without validation. When these lessons are viewed by administrators or users, the injected HTML is rendered by the browser, enabling attacks such as web page defacement, content spoofing, and phishing. The vulnerability is due to insufficient input validation and output encoding in the lesson creation interface, specifically in the file /admin/modules/lesson/index.php. [1, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of malicious HTML or JavaScript code injected into the Title or Description fields of lessons in the SourceCodester E-Learning System 1.0, specifically in the /admin/modules/lesson/index.php component. One method is to log in as an administrator or instructor and review the lesson titles and descriptions for suspicious HTML tags such as <marquee> or other unexpected HTML elements. Additionally, Google dorking can be used to locate vulnerable targets using the query: inurl:admin/modules/lesson/index.php. There are no specific network commands provided, but manual inspection of the database entries or lesson content rendered in the browser can reveal exploitation. For example, querying the database for entries containing HTML tags in the lesson title or description fields can help detect exploitation. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding the use of the affected SourceCodester E-Learning System 1.0 or replacing it with an alternative solution, as no known countermeasures or patches are currently available. Restricting access to the lesson creation and editing interfaces to trusted users only can reduce the risk. Additionally, monitoring and sanitizing user inputs in the Title and Description fields to prevent injection of HTML or script tags is recommended. Applying web application firewalls (WAF) rules to detect and block malicious HTML or JavaScript payloads targeting these fields may also help mitigate exploitation. [2]