CVE-2026-14698
Received Received - Intake

Unrestricted File Upload in Syllabus-Aligned Learning Management System

Vulnerability report for CVE-2026-14698, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-05

Last updated on: 2026-07-05

Assigner: VulDB

Description

A security flaw has been discovered in SourceCodester Syllabus-Aligned Learning Management and Examination System 1.0. Impacted is an unknown function of the file upload_files.php. Performing a manipulation results in unrestricted upload. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-05
Last Modified
2026-07-05
Generated
2026-07-05
AI Q&A
2026-07-05
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
sourcecodester syllabus_aligned_learning_management_and_examination_system 1.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows attackers to upload and execute arbitrary files on the server, potentially leading to full server compromise. This can result in unauthorized access to sensitive data, including personal information and database credentials.

Such unauthorized access and potential data breaches can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.

Failure to mitigate this vulnerability could lead to violations of these regulations due to inadequate security controls over data confidentiality and integrity.

Executive Summary

The CVE-2026-14698 vulnerability affects the SourceCodester Syllabus-Aligned Learning Management and Examination System version 1.0. It is caused by an unrestricted file upload flaw in the file upload_files.php, where authenticated instructor users can upload arbitrary files without proper validation of file extensions or MIME types.

Uploaded files are stored in a web-accessible directory, allowing attackers to upload malicious PHP files and execute arbitrary server-side code remotely. This means an attacker can run commands on the server by uploading and accessing a malicious script.

Impact Analysis

This vulnerability can lead to a full server compromise. Attackers can execute arbitrary code on the server, which allows them to read sensitive files, access database credentials, modify application data, or gain complete control over the server.

Detection Guidance

This vulnerability can be detected by attempting to upload a test PHP file through the upload_files.php functionality as an authenticated instructor user. For example, uploading a PHP file named test.php containing a simple PHP code snippet like <?php echo "RCE_TEST"; ?> and then accessing the uploaded file via its URL can confirm if arbitrary code execution is possible.

Commands to detect this might include using curl or wget to upload a test PHP file and then using curl or a browser to access the uploaded file URL to check for the expected output.

  • Upload test PHP file: curl -F "[email protected]" -u instructor_user:password http://target/upload_files.php
  • Access uploaded file: curl http://target/uploads/class_docs/test.php

If the response contains the string RCE_TEST, the vulnerability is present.

Mitigation Strategies

Immediate mitigation steps include restricting file uploads to approved file types and performing server-side MIME type verification to prevent dangerous files from being uploaded.

Additionally, store uploaded files outside the web root to prevent direct access and disable PHP execution in the upload directories to block execution of malicious scripts.

Implement a controlled download handler for serving uploaded files instead of allowing direct URL access.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14698. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart