CVE-2026-10168
Deferred Deferred - Pending Action
Improper Resource Control in BrinaryBrains School Student Management System

Publication date: 2026-05-31

Last updated on: 2026-05-31

Assigner: VulDB

Description
A security vulnerability has been detected in OUSL-GROUP-BrinaryBrains School Student Management System up to 1e70e5ad1125b86dca4ee086eb6bb121f17708b6. Affected is the function marks of the file application/controllers/Parents.php. The manipulation of the argument param1 leads to improper control of resource identifiers. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-31
Last Modified
2026-05-31
Generated
2026-06-20
AI Q&A
2026-05-31
EPSS Evaluated
2026-06-19
NVD
CVE-2026-10168
EUVD
EUVD-2026-33488
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ousl-group brinarybrains_school_student_management_system to 1e70e5ad1125b86dca4ee086eb6bb121f17708b6 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-99 The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-10168 is an Insecure Direct Object Reference (IDOR) vulnerability found in the Parent Controller of the OUSL-GROUP-BrinaryBrains School Student Management System. Specifically, it affects the 'marks' function in the file application/controllers/Parents.php. The vulnerability occurs because the system does not verify whether a student belongs to the logged-in parent before displaying their data.

By manipulating the student ID parameter (param1) in the URL, an attacker who is logged in as a parent can access sensitive academic information, such as marks and class routines, of any student, not just their own children. This allows unauthorized access to other students' data.

Impact Analysis

This vulnerability can lead to horizontal privilege escalation, where a logged-in parent can view the academic records of other students without authorization.

The impact includes privacy violations as sensitive student information such as marks and class routines can be accessed by unauthorized users.

Additionally, an attacker can enumerate all students' records by sequentially changing the student ID parameter, potentially exposing a large amount of confidential data.

Detection Guidance

This vulnerability can be detected by testing whether unauthorized access to other students' marks and class routines is possible by manipulating the student ID parameter in the URL while logged in as a parent.

A practical detection method is to log in as a parent user and attempt to access another student's data by changing the student ID parameter in the URL to a different value.

For example, if the URL to view marks is something like: https://example.com/parents/marks?param1=STUDENT_ID, try changing STUDENT_ID to another student's ID and observe if the system improperly displays that student's information.

There are no specific command-line tools or commands provided in the resources, but manual testing via a web browser or automated tools like curl or Burp Suite to modify URL parameters can be used.

Example curl command to test access control by changing the param1 value:

  • curl -b cookies.txt "https://example.com/parents/marks?param1=OTHER_STUDENT_ID"

Here, cookies.txt contains the authenticated session cookies of a logged-in parent user.

Mitigation Strategies

Immediate mitigation steps include implementing proper access control checks in the application to verify that the student ID requested belongs to the logged-in parent before displaying any data.

Specifically, the application should validate the ownership of the student record in the `marks` method of the `Parents.php` controller and related views.

Until a patch or update is available, restrict access to the affected functionality to trusted users only and monitor logs for suspicious activity involving manipulation of student ID parameters.

Additionally, consider implementing web application firewall (WAF) rules to detect and block requests with unusual parameter manipulation patterns.

Compliance Impact

The vulnerability allows unauthorized access to sensitive academic information of students by exploiting an Insecure Direct Object Reference (IDOR) flaw. This leads to privacy violations and horizontal privilege escalation, enabling attackers to view data they should not have access to.

Such unauthorized disclosure of personal and academic data can result in non-compliance with data protection regulations like GDPR and HIPAA, which mandate strict controls over access to personal information and require protection against unauthorized data exposure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10168. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart