CVE-2026-10236

Vulnerability

The vulnerability resides in the User Management Endpoint of SourceCodester Water Billing Management System version 1.0. Specifically, the file /classes/Users.php?f=save lacks proper authorization checks, allowing unauthorized manipulation of user data. The issue is classified as improper authorization (CWE-285). [1]

Exploitation

An attacker can remotely exploit this vulnerability without authentication. The exploit has been publicly disclosed, providing a sequence of steps to send crafted requests to the vulnerable endpoint. No special privileges or user interaction are required.

Impact

Successful exploitation allows an attacker to modify user records, potentially leading to privilege escalation or data integrity compromise. The exact impact depends on the attacker's actions, but it could include creating, updating, or deleting user accounts.

Mitigation

As of the publication date, no official patch has been released by SourceCodester. Users should monitor the vendor's website for updates. As a workaround, implement access controls on the server side to restrict access to the /classes/Users.php endpoint to authenticated administrators only.