VYPR
← All advisories
Medium severity4.3NVD Advisory· Published May 26, 2026

CVE-2026-9583

CVE-2026-9583

Description

A weakness has been identified in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0. This impacts an unknown function of the file /index.php of the component SQL Handler. Executing a manipulation can lead to information exposure through error message. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An information exposure vulnerability in SourceCodester CET Grading System 1.0 reveals backend SQL error details via crafted input.

Vulnerability

The information disclosure vulnerability resides in the SQL Handler component of SourceCodester CET Automated Grading System with AI Predictive Analytics version 1.0. The file /index.php processes the manage_subjects action via /index.php?action=manage_subjects and fails to suppress verbose database error messages when receiving crafted input. This corresponds to CWE-209 (Generation of Error Message Containing Sensitive Information). [3]

Exploitation

A remote authenticated attacker can trigger the vulnerability by submitting oversized POST parameters to the affected endpoint. No special network position beyond standard remote access is required, though authentication (valid user credentials) is necessary to reach the vulnerable code path. The public PoC script (poc.sh) demonstrates the exact sequence of sending crafted POST data to elicit database exceptions. [1] [3]

Impact

Successful exploitation allows the attacker to obtain verbose SQL error messages from the server. The exposed information may include SQLSTATE responses, database engine details, query behavior, PDO exceptions, and MariaDB/MySQL error data. This leakage constitutes a low confidentiality impact (C:L) with no impact on integrity or availability. [3]

Mitigation

No official fix has been released by SourceCodester as of the publication date. The vendor's website does not list a patched version. [2] Recommended mitigations include disabling verbose database error output in production, implementing centralized exception handling, returning generic user-facing error messages, and logging detailed database errors securely server-side only. [3]

References
  1. poc/CVE-2026-9583-Information-Disclosure/poc.sh at main · NARKHEDE-VAIBHAV/poc
  2. Free Source Code Projects and Tutorials
  3. poc/CVE-2026-9583-Information-Disclosure/Advisory.md at main · NARKHEDE-VAIBHAV/poc

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The application returns verbose database error messages to the user instead of handling exceptions gracefully, exposing sensitive backend information."

Attack vector

A remote authenticated attacker sends oversized POST parameters to `/index.php?action=manage_subjects`, which triggers database exceptions [ref_id=1]. The server returns verbose SQL error messages containing sensitive backend information such as SQLSTATE responses, database engine details, query behavior, PDO exceptions, and MariaDB/MySQL error data [ref_id=1]. The attack requires authentication but no special privileges beyond a valid user account, and can be performed over the network [ref_id=1].

Affected code

The vulnerability is in `/index.php` of SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0, specifically in the SQL Handler component when processing the `action=manage_subjects` endpoint [ref_id=1]. The application exposes backend SQL/database error details through this endpoint when crafted input is submitted [ref_id=1].

What the fix does

No patch has been published for this vulnerability. The advisory recommends disabling verbose database error output in production, implementing centralized exception handling, returning generic user-facing error messages, and logging detailed database errors securely server-side only [ref_id=1]. These mitigations would prevent the application from leaking SQLSTATE responses, PDO exceptions, and other database internals to the attacker [ref_id=1].

Preconditions

  • authAttacker must have a valid authenticated session on the application
  • networkAttacker must be able to send HTTP POST requests to the server over the network
  • inputAttacker must submit oversized POST parameters to the manage_subjects endpoint

Reproduction

The advisory states the PoC submits oversized POST parameters to `/index.php?action=manage_subjects` to trigger database exceptions and extract SQL-related error information from server responses [ref_id=1]. No further reproduction steps are documented in the bundle.

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.