VYPR
← All advisories
Medium severity4.3NVD Advisory· Published May 26, 2026

CVE-2026-9582

CVE-2026-9582

Description

A security flaw has been discovered in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0. This affects an unknown function. Performing a manipulation results in cross-site request forgery. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A CSRF vulnerability in SourceCodester CET Automated Grading System 1.0 allows remote attackers to perform unauthorized actions on behalf of authenticated users.

Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability exists in SourceCodester CET Automated Grading System with AI Predictive Analytics version 1.0. The application does not properly validate authenticated POST requests, allowing attackers to perform unauthorized actions on behalf of authenticated users. The affected endpoints are /index.php?action=manage_subjects and /index.php?action=add_grade [3].

Exploitation

An attacker can craft a malicious HTML page that, when visited by an authenticated user, automatically submits POST requests to the vulnerable endpoints. This is possible because the application lacks anti-CSRF tokens, origin/referer header validation, or SameSite cookie protections [3]. The attacker does not require prior authentication or any special network position; they simply need to trick a logged-in victim into visiting the malicious page (e.g., via a phishing link or forum post). The public proof-of-concept HTML file demonstrates this attack [1].

Impact

A successful CSRF attack enables an attacker to create unauthorized subjects or manipulate grading-related data without the victim's consent. The impact is limited to integrity compromise (CWE-352) with no effect on confidentiality or availability. The CVSS v3.1 score is 4.3 (Medium) with a vector of AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N [3].

Mitigation

The vendor has not yet released a patched version. The published advisory recommends implementing anti-CSRF tokens, validating Origin and Referer headers, and using SameSite cookie protections for all sensitive actions [3]. Until a fix is available, administrators should consider deploying web application firewall rules to block unexpected POST requests or requiring re-authentication for sensitive operations. Affected users should monitor SourceCodester's official website [2] for future updates.

References
  1. poc/CVE-2026-9582-Cross-Site-Request-Forgery/poc.html at main · NARKHEDE-VAIBHAV/poc
  2. Free Source Code Projects and Tutorials
  3. poc/CVE-2026-9582-Cross-Site-Request-Forgery/Advisory.md at main · NARKHEDE-VAIBHAV/poc

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing CSRF protection — the application does not validate authenticated POST requests, allowing unauthorized actions on behalf of a logged-in user."

Attack vector

An attacker crafts a malicious HTML page that automatically submits POST requests to the affected endpoints using the victim's active authenticated session [ref_id=1]. The attack is performed remotely and requires no authentication on the attacker's part, only that the victim is already logged into the application and visits the attacker's page [CWE-352]. The application does not validate the origin of authenticated POST requests, so the forged requests are processed as legitimate actions [ref_id=1].

Affected code

The vulnerability affects the `manage_subjects` and `add_grade` endpoints at `/index.php?action=manage_subjects` and `/index.php?action=add_grade` [ref_id=1]. The advisory does not specify the exact function names or file paths within the SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0 codebase.

What the fix does

The advisory recommends implementing anti-CSRF tokens, validating Origin and Referer headers, using SameSite cookie protections, and requiring server-side request validation for sensitive actions [ref_id=1]. No patch has been published by the vendor for SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0 as of the advisory's publication.

Preconditions

  • authVictim must have an active authenticated session in the CET Automated Grading System
  • inputVictim must visit a malicious page controlled by the attacker (e.g., via phishing or a compromised site)
  • inputAttacker must know or be able to target the affected endpoints (/index.php?action=manage_subjects and /index.php?action=add_grade)

Reproduction

The advisory includes a PoC HTML file that automatically submits malicious POST requests using the victim's active authenticated session [ref_id=1]. The exact reproduction steps are not detailed beyond the PoC file reference; the attacker hosts the HTML page and tricks an authenticated victim into opening it.

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.