CVE-2026-2984
Denial of Service in SourceCodester Student Result Management System
Publication date: 2026-02-23
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| munyweki | student_result_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-404 | The product does not release or incorrectly releases a resource before it is made available for re-use. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-2984 is a vulnerability in SourceCodester Student Result Management System version 1.0, specifically in the file /admin/core/drop_user.php. The vulnerability arises from improper handling of the 'id' argument in a GET request, which allows an attacker to manipulate this parameter."}, {'type': 'paragraph', 'content': "This manipulation can lead to a denial of service (DoS) condition by deleting critical user accounts, such as the Super Administrator account, from the system's staff database. The attack can be executed remotely without any authentication or authorization, making it easily exploitable."}, {'type': 'paragraph', 'content': 'The vulnerability corresponds to CWE-404, indicating incorrect resource release, and aligns with the MITRE ATT&CK technique T1499 (Endpoint Denial of Service). A proof-of-concept exploit is publicly available.'}] [1, 2]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can cause a denial of service by permanently deleting the Super Administrator account from the system, effectively locking out administrative access and management capabilities.'}, {'type': 'paragraph', 'content': "As a result, the system's availability and integrity are compromised, preventing legitimate users from managing or maintaining the system."}, {'type': 'paragraph', 'content': "Since the attack can be performed remotely without authentication, it poses a significant risk to the affected system's operational continuity."}] [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by identifying if the SourceCodester Student Result Management System version 1.0 is running and if the vulnerable script /admin/core/drop_user.php is accessible remotely.'}, {'type': 'paragraph', 'content': 'One method to detect vulnerable targets is by using Google dorking with the query: inurl:admin/core/drop_user.php.'}, {'type': 'paragraph', 'content': 'To test on your system or network, you can attempt to send a crafted HTTP GET request to the /admin/core/drop_user.php endpoint with an id parameter, for example:'}, {'type': 'list_item', 'content': 'curl -v "http://[target]/admin/core/drop_user.php?id=1"'}, {'type': 'paragraph', 'content': 'If the system responds in a way that causes denial of service or deletes the administrator account, it indicates the presence of the vulnerability.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
No known countermeasures or mitigations have been reported for this vulnerability.
The suggested immediate step is to replace the affected product with an alternative that does not contain this vulnerability.
Since the vulnerability allows unauthenticated remote deletion of the administrator account, restricting access to the /admin/core/drop_user.php endpoint via network controls (e.g., firewall rules) may help reduce exposure until a replacement or patch is applied.