Medium severity6.3NVD Advisory· Published Mar 23, 2026· Updated Apr 29, 2026

CVE-2026-4573

Description

A security vulnerability has been detected in SourceCodester Simple E-learning System 1.0. This affects an unknown part of the file /includes/form_handlers/delete_post.php of the component HTTP GET Parameter Handler. The manipulation of the argument post_id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

SourceCodester Simple E-learning System 1.0 suffers from a time-based blind SQL injection in the delete_post.php endpoint via the post_id GET parameter, allowing authenticated attackers to exfiltrate database data.

The vulnerability is a time-based blind SQL injection in SourceCodester Simple E-learning System version 1.0. The flaw resides in the /includes/form_handlers/delete_post.php file, where the post_id parameter from GET requests is directly concatenated into SQL queries without proper sanitization. This allows an attacker to inject malicious SQL payloads, particularly SLEEP() statements, to infer data by observing response delays.

Exploitation requires authentication to the application. An attacker must have valid credentials (e.g., a teacher account) and access to the delete post functionality. The parameter post_id is passed via GET request, and tools like sqlmap can automate the extraction of data. The provided proof-of-concept demonstrates a time-based blind injection using a payload that triggers a 5-second sleep when the condition is true.

Successful exploitation enables an authenticated attacker to retrieve arbitrary data from the database, including user credentials, session tokens, or other sensitive information. The attack is remote and does not require any special privileges beyond basic user access.

As of the advisory, no patch has been released. Users should limit access to the application, apply input validation, or use parameterized queries to mitigate the risk. The exploit has been publicly disclosed [1].

References

Web-Security-PoCs/Simple-E-learning-System/SQLi-DeletePost-postId.md at main · meifukun/Web-Security-PoCs

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Dokeos/E Learning Systemllm-fuzzy
Range: =1.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

Severity

MediumCVSS v3.1

6.3/ 10

CVSS v42.1

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: Low
User interaction: None
Scope: Unchanged
Confidentiality: Low
Integrity: Low
Availability: Low

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS

Probability of exploitation in the next 30 days.

0.04%

VYPR risk score

Composite of severity, exploitation, and reach.

0.41medium

cvss	0.410
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVE ID

CVE-2026-4573

Credits

5(
563742137abc (VulDB User)
reporter