CVE-2026-14609 in CET Automated Grading System with AI Predictive Analyticsinfo

Summary

by MITRE • 07/04/2026

A vulnerability was detected in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0. This issue affects some unknown processing. The manipulation results in session fixiation. The attack can be executed remotely. The attack requires a high level of complexity. The exploitability is assessed as difficult. The exploit is now public and may be used.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/04/2026

This vulnerability resides within the SourceCodester CET Automated Grading System with AI Predictive Analytics version 1.0, representing a critical session fixation flaw that compromises user authentication integrity. The issue manifests during the system's processing of user sessions, where an attacker can manipulate session identifiers to hijack active user sessions without proper authorization. This vulnerability specifically affects the authentication and session management components of the application, creating a pathway for unauthorized access to grading systems and associated administrative functions.

The technical implementation flaw stems from improper session handling mechanisms that fail to regenerate session identifiers upon successful authentication. When users log into the system, the application does not adequately invalidate or replace existing session tokens, allowing attackers who can predict or obtain valid session identifiers to maintain persistent access to user accounts. This weakness directly maps to CWE-384, which classifies session fixation as a serious vulnerability that undermines the fundamental security of web applications. The vulnerability's exploitation requires sophisticated techniques due to the complex nature of the AI predictive analytics system and its integration with grading processes.

The operational impact of this vulnerability extends beyond simple unauthorized access, potentially enabling attackers to manipulate academic records, grade students dishonestly, or gain administrative privileges within the grading system. Given that this is an automated grading system with AI predictive analytics capabilities, compromised sessions could allow adversaries to influence machine learning models through data manipulation or gain access to sensitive educational data. The remote exploitation capability means attackers can target the system from external networks without requiring physical access to the infrastructure, making this vulnerability particularly dangerous in academic environments where such systems often contain confidential student information.

From a threat modeling perspective, this vulnerability aligns with ATT&CK technique T1563.002 which covers "Access Token Manipulation" and T1078 which addresses "Valid Accounts." The difficulty level of exploitation suggests that while the attack requires significant technical expertise, the public availability of exploit code increases the actual risk to organizations using this system. Organizations should immediately implement session regeneration upon authentication, enforce secure session cookie attributes including HttpOnly and Secure flags, and conduct comprehensive security testing of all web application components. Additionally, implementing proper input validation and output encoding mechanisms can help prevent further exploitation attempts while the system undergoes remediation. The vulnerability's classification as having public exploit availability necessitates urgent patching or mitigation strategies to protect academic institutions from potential data breaches and academic integrity violations.

Responsible

VulDB

Disclosure

07/04/2026

Moderation

accepted

CPE

ready

EPSS

0.00321

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!