CVE-2026-14778
Received Received - Intake

Online Exam System Improper Authorization Flaw

Vulnerability report for CVE-2026-14778, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: VulDB

Description

A security vulnerability has been detected in SourceCodester Onlne Examination & Learning Management System 1.0. This affects an unknown part of the file /ajax_enroll.php of the component Enrollment Management. The manipulation of the argument student_id/schedule_id/action leads to improper authorization. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The name of the affected product appears to have a typo in it.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-06
AI Q&A
2026-07-06
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
sourcecodester online_examination_and_learning_management_system 1.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-14778 is a security vulnerability in the Online Examination & Learning Management System version 1.0, specifically in the /ajax_enroll.php endpoint of the Enrollment Management component.

The vulnerability is an Insecure Direct Object Reference (IDOR) caused by missing authorization checks. It allows any authenticated user, including students, to manipulate enrollment actions such as enrolling or unenrolling any student in any schedule without proper verification.

The endpoint processes user-controlled parameters (student_id, schedule_id, action) directly from POST requests without validating the user's role or ownership of the target student ID.

Additionally, the lack of a CSRF token enables cross-site request forgery attacks, which can trick authenticated users into performing unauthorized enrollment actions via malicious HTML forms.

Overall, this vulnerability undermines the integrity of the enrollment system by allowing unauthorized manipulation of student enrollments.

Compliance Impact

The vulnerability in the Online Examination & Learning Management System allows unauthorized manipulation of student enrollment data due to missing authorization checks and lack of CSRF protection.

This improper authorization and potential for mass enrollment manipulation can undermine data integrity and accountability, which are critical for compliance with standards like GDPR and HIPAA.

Specifically, the lack of role-based access control and audit logging may lead to unauthorized access or modification of personal data, violating principles of data protection, user consent, and accountability required by these regulations.

Impact Analysis

This vulnerability can impact you by allowing unauthorized users to enroll or unenroll students in courses or schedules without permission.

Such unauthorized actions can disrupt the enrollment process, cause confusion, and potentially allow malicious actors to manipulate course participation records.

The lack of proper authorization and CSRF protection also means attackers can perform mass enrollment manipulations or trick legitimate users into executing unwanted actions, further compromising the system's integrity.

Detection Guidance

This vulnerability can be detected by monitoring and testing the `/ajax_enroll.php` endpoint for improper authorization issues. Specifically, you can attempt to send POST requests with manipulated parameters such as `student_id`, `schedule_id`, and `action` to check if unauthorized enrollment or unenrollment actions are possible.

Suggested commands to detect the vulnerability include using curl or similar tools to simulate requests:

  • curl -X POST -d "student_id=TARGET_ID&schedule_id=SCHEDULE_ID&action=enroll" https://yourdomain.com/ajax_enroll.php
  • curl -X POST -d "student_id=TARGET_ID&schedule_id=SCHEDULE_ID&action=unenroll" https://yourdomain.com/ajax_enroll.php

If these requests succeed without proper authorization checks or CSRF tokens, it indicates the presence of the vulnerability.

Mitigation Strategies

Immediate mitigation steps include implementing proper role-based authorization checks to ensure only authorized users can perform enrollment or unenrollment actions.

Additionally, verify ownership or permissions for the `student_id` and `schedule_id` parameters to prevent unauthorized manipulation.

Add CSRF protection tokens to the `/ajax_enroll.php` endpoint to prevent cross-site request forgery attacks.

Introduce audit logging to track enrollment changes and detect suspicious activities.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14778. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart