CVE-2026-7401

Vulnerability

Overview

A stored cross-site scripting (XSS) vulnerability has been identified in SourceCodester CET Automated Grading System with AI Predictive Analytics version 1.0. The flaw resides in the student self-registration functionality at /index.php?action=register, where the student_id, full_name, section, and username parameters are not sanitized or encoded before being stored in the database [1]. This lacks proper input validation and output encoding, fulfilling the conditions for CWE-79 (Improper Neutralization of Input During Web Page Generation).

Exploitation

An unauthenticated attacker can remotely exploit this vulnerability by submitting a registration request containing JavaScript payloads in any of the vulnerable fields [1]. No login is not required as the registration portal is publicly accessible [1]. The stored payload is subsequently triggered when an administrator visits the dashboard page (/index.php?action=dashboard), where registered students are listed [1]. The attack requires administrator interaction—no special network position beyond standard web access.

Impact

When the administrator views the dashboard, the injected script executes in the context of the admin session [1]. This enables an attacker to steal session cookies, deface the interface, or redirect the admin to malicious sites. Because the payload runs in a privileged session, full administrative account takeover is possible, leading to complete compromise of the grading system's administrative functionality [1].

Mitigation

As of publication, vendor has not released an official patch [1]. Users should apply input validation and output encoding on the registration form, implement output encoding when rendering student data on the dashboard, and consider restricting public registration if not required. The proof-of-concept has been publicly available since April 2026 [1], increasing the risk of active exploitation.