CVE-2026-1154
Unknown Unknown - Not Provided
Cross-Site Scripting in SourceCodester E-Learning Lesson Module

Publication date: 2026-01-19

Last updated on: 2026-04-29

Assigner: VulDB

Description
A flaw has been found in SourceCodester E-Learning System 1.0. This impacts an unknown function of the file /admin/modules/lesson/index.php of the component Lesson Module Handler. Executing a manipulation of the argument Title/Description can lead to basic cross site scripting. The attack can be executed remotely. The exploit has been published and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-19
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-01-19
EPSS Evaluated
2026-06-15
NVD
CVE-2026-1154
EUVD
EUVD-2026-3219
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
sourcecodester e-learning_system to 1.0 (exc)
janobe e-learning_system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-80 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can impact you by allowing attackers to inject malicious HTML or scripts into lesson titles or descriptions, which are then rendered in users' browsers. This can lead to web page defacement, spreading misinformation through content spoofing, and conducting phishing attacks by injecting fake forms or misleading links. The integrity of the system can be compromised, and users may be tricked into revealing sensitive information or performing unintended actions. [1, 2, 3]

Executive Summary

CVE-2026-1154 is a Stored HTML Injection vulnerability in SourceCodester E-Learning System 1.0. It occurs because the application does not properly sanitize user input in the Lesson Module's title and description fields. An attacker with access to lesson creation or editing can inject arbitrary HTML tags, which are stored in the backend database without validation. When these lessons are viewed by administrators or users, the injected HTML is rendered by the browser, enabling attacks such as web page defacement, content spoofing, and phishing. The vulnerability is due to insufficient input validation and output encoding in the lesson creation interface, specifically in the file /admin/modules/lesson/index.php. [1, 3]

Detection Guidance

This vulnerability can be detected by checking for the presence of malicious HTML or JavaScript code injected into the Title or Description fields of lessons in the SourceCodester E-Learning System 1.0, specifically in the /admin/modules/lesson/index.php component. One method is to log in as an administrator or instructor and review the lesson titles and descriptions for suspicious HTML tags such as <marquee> or other unexpected HTML elements. Additionally, Google dorking can be used to locate vulnerable targets using the query: inurl:admin/modules/lesson/index.php. There are no specific network commands provided, but manual inspection of the database entries or lesson content rendered in the browser can reveal exploitation. For example, querying the database for entries containing HTML tags in the lesson title or description fields can help detect exploitation. [1, 2]

Mitigation Strategies

Immediate mitigation steps include avoiding the use of the affected SourceCodester E-Learning System 1.0 or replacing it with an alternative solution, as no known countermeasures or patches are currently available. Restricting access to the lesson creation and editing interfaces to trusted users only can reduce the risk. Additionally, monitoring and sanitizing user inputs in the Title and Description fields to prevent injection of HTML or script tags is recommended. Applying web application firewalls (WAF) rules to detect and block malicious HTML or JavaScript payloads targeting these fields may also help mitigate exploitation. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1154. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart