CVE-2026-14778 in Onlne Examination & Learning Management System
Summary
by MITRE • 07/06/2026
A security vulnerability has been detected in SourceCodester Onlne Examination & Learning Management System 1.0. This affects an unknown part of the file /ajax_enroll.php of the component Enrollment Management. The manipulation of the argument student_id/schedule_id/action leads to improper authorization. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The name of the affected product appears to have a typo in it.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/06/2026
This vulnerability resides within the SourceCodester Online Examination & Learning Management System version 1.0, specifically targeting the /ajax_enroll.php file within the Enrollment Management component. The flaw manifests through improper authorization controls when processing the student_id, schedule_id, and action parameters, creating a significant security risk that allows unauthorized users to manipulate enrollment operations. The vulnerability's impact extends beyond simple access control issues as it enables attackers to perform enrollment actions without proper authentication or authorization, effectively undermining the system's core user management and course enrollment mechanisms.
The technical nature of this vulnerability aligns with CWE-285, which addresses improper authorization scenarios in software systems. Attackers can exploit this weakness remotely by manipulating the three identified parameters to execute unauthorized enrollment operations such as adding students to courses, modifying enrollment schedules, or performing administrative actions typically restricted to authorized personnel. The publicly disclosed exploit means that threat actors can readily leverage this vulnerability without requiring advanced technical skills or specialized knowledge. This remote attack vector significantly amplifies the risk as it allows exploitation from any location without physical access to the system infrastructure.
The operational impact of this vulnerability extends beyond immediate unauthorized enrollment activities and represents a critical failure in the system's access control model. Organizations relying on this learning management system face potential data integrity compromises, unauthorized course access, and possible academic record manipulation. The vulnerability could enable attackers to enroll themselves in restricted courses, manipulate student schedules, or gain access to sensitive educational data that should remain protected. Furthermore, the typo in the product name suggests potential issues with version identification and patch management, complicating security maintenance efforts.
Mitigation strategies should include immediate implementation of proper input validation and authentication checks for all parameters processed by /ajax_enroll.php. The system requires robust authorization controls that verify user credentials and permissions before executing any enrollment-related operations. Security measures should enforce strict parameter validation to prevent malicious manipulation of student_id, schedule_id, and action values. Organizations should implement rate limiting and monitoring for suspicious enrollment activities, while also considering the deployment of web application firewalls to detect and block exploitation attempts. The vulnerability highlights the importance of comprehensive security testing during development phases and proper access control implementation in educational management systems that handle sensitive user data. This weakness demonstrates how seemingly simple parameter handling can create critical security gaps that compromise entire system integrity and user privacy within learning environments.