CVE-2026-14776 in Onlne Examination & Learning Management System
Summary
by MITRE • 07/06/2026
A security flaw has been discovered in SourceCodester Onlne Examination & Learning Management System 1.0. Affected by this vulnerability is the function pathinfo of the file /upload_files.php of the component Filename Extension. Performing a manipulation results in unrestricted upload. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The name of the affected product appears to have a typo in it.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/06/2026
The vulnerability identified in SourceCodester Online Examination & Learning Management System version 1.0 represents a critical file upload flaw that directly impacts the system's security posture and operational integrity. This weakness resides within the filename extension handling functionality of the /upload_files.php component, where inadequate input validation permits malicious actors to bypass intended security restrictions. The vulnerability stems from improper sanitization of user-supplied file names during the upload process, creating an attack vector that allows arbitrary file execution within the target environment.
The technical implementation of this flaw involves the pathinfo function being improperly configured or utilized without adequate validation checks for file extensions, allowing attackers to manipulate the upload process through crafted filenames. This unrestricted file upload capability enables remote threat actors to execute malicious code on the server by uploading files with potentially dangerous extensions such as .php, .asp, or other executable formats that the application fails to properly filter. The vulnerability operates at the application layer and directly violates security principles outlined in cwe-434 which specifically addresses unrestricted file upload vulnerabilities.
From an operational impact perspective, this vulnerability exposes the entire learning management system to potential compromise through remote code execution attacks. Attackers can leverage this flaw to upload backdoor scripts, web shells, or other malicious payloads that establish persistent access to the server infrastructure. The implications extend beyond simple data theft to include complete system takeover, data exfiltration, and potential use as a launch point for lateral movement within network environments. This weakness particularly affects educational institutions relying on the platform for online assessments and learning management, potentially compromising sensitive examination data and user privacy.
The exploitability of this vulnerability has been validated through public release, indicating that threat actors have already developed working attack vectors against affected systems. Security researchers should note that this issue demonstrates the critical importance of proper input validation and file extension filtering in web applications. Mitigation strategies must include implementing strict file type validation using allowlists rather than denylists, configuring proper file upload restrictions, and ensuring that uploaded files are stored outside the web root directory. Organizations should also consider implementing additional security controls such as content-type checking, file signature verification, and regular security scanning of uploaded content to prevent exploitation attempts.
This vulnerability aligns with several attack patterns documented in the mitre attack framework particularly those involving initial access through web application vulnerabilities and privilege escalation via file upload exploits. The weakness directly maps to cwe-434 and represents a common pattern in web application security where insufficient validation leads to arbitrary code execution capabilities. Organizations should conduct immediate assessment of their deployment environments, implement proper input sanitization measures, and ensure that all file upload functionalities include robust validation mechanisms before considering any systems as secure against this particular class of attack.