CVE-2026-12176

Vulnerability

The SourceCodester CET Automated Grading System with AI Predictive Analytics version 1.0 contains a cross-site scripting (XSS) vulnerability in the /index.php file. By manipulating the action parameter, an attacker can inject arbitrary web scripts. No authentication is required for the injection, but victim interaction is needed to trigger execution.

Exploitation

An attacker can craft a malicious URL with a specially crafted action parameter containing JavaScript payload. When an authenticated user (such as an instructor or administrator) visits this URL, the script executes in the context of the user's session. The exploit has been publicly disclosed, increasing the risk of widespread use.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, defacement of the grading interface, or theft of sensitive information such as credentials or grading data.

Mitigation

As of the publication date, no official patch has been released by SourceCodester. Users should implement input validation and output encoding for the action parameter, or restrict access to the /index.php file. Consider using a web application firewall (WAF) to block malicious inputs.