CVE-2026-14777
Received Received - Intake

Unrestricted File Upload in Online Examination & Learning Management System

Vulnerability report for CVE-2026-14777, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: VulDB

Description

A weakness has been identified in SourceCodester Onlne Examination & Learning Management System 1.0. Affected by this issue is some unknown functionality of the file /announcements.php. Executing a manipulation can lead to unrestricted upload. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The name of the affected product appears to have a typo in it.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-06
AI Q&A
2026-07-06
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
sourcecodester online_examination_and_learning_management_system 1.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows unrestricted file upload leading to remote code execution, which can compromise the confidentiality, integrity, and availability of data within the Online Examination & Learning Management System.

Such a compromise could lead to unauthorized access to sensitive personal data, potentially violating data protection regulations like GDPR and HIPAA that require strict controls over data security and breach prevention.

Failure to properly validate uploaded files and prevent remote code execution increases the risk of data breaches, which can result in non-compliance with these standards and lead to legal and financial penalties.

Executive Summary

CVE-2026-14777 is an unrestricted file upload vulnerability in the Online Examination & Learning Management System, specifically in the announcements.php file.

Users with clerk or super_admin roles can upload files without proper validation. Although the system tries to prevent path traversal using basename(), it does not check file extensions, MIME types, or file content.

The user interface suggests only PDF or JPG files are allowed, but the server does not enforce this restriction.

An attacker with clerk-level access can upload a malicious PHP webshell, which allows them to execute commands on the server as the www-data user, leading to remote code execution.

The vulnerability can be exploited by sending a POST request to /announcements.php with a malicious PHP file attached.

Impact Analysis

This vulnerability can allow an attacker with limited privileges (clerk-level access) to upload and execute malicious code on the server.

Successful exploitation can lead to remote code execution, which means the attacker can run arbitrary commands on the server.

This can result in unauthorized access, data theft, data manipulation, service disruption, or complete system compromise.

Detection Guidance

This vulnerability can be detected by checking if the /announcements.php endpoint allows unrestricted file uploads without proper validation of file extensions or MIME types.

One way to test this is by sending a POST request to /announcements.php with a malicious PHP file attachment and observing if it gets uploaded and executed.

For example, you can use the following curl command to attempt uploading a PHP webshell:

After uploading, try to access the uploaded PHP file to verify if remote code execution is possible.

Mitigation Strategies

Immediate mitigation steps include:

  • Implement an extension whitelist to allow only safe file types (e.g., PDF, JPG).
  • Validate MIME types and file content on the server side to prevent malicious uploads.
  • Disable PHP execution in the upload directories to prevent execution of uploaded scripts.
  • Strip original file extensions from uploaded files to avoid execution of dangerous file types.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14777. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart