Login Sign Up

CVE-2026-2983

7.3 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability in SourceCodester Student Result Management System 1.0 allows unauthenticated attackers to upload arbitrary files via the bulk import feature, potentially leading to account takeover and system compromise. The vulnerability affects all installations of this specific software version. Remote exploitation is possible without authentication.

💻 Affected Systems

Products:
  • SourceCodester Student Result Management System
Versions: 1.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: All installations of version 1.0 are vulnerable. The system must be accessible via network.

📦 What is this software?

Student Result Management System by Munyweki

View all CVEs affecting Student Result Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via remote code execution, data theft, and unauthorized administrative access to the entire student result management system.

🟠

Likely Case

Unauthenticated attackers upload malicious files to create admin accounts, hijack SMTP settings, and gain control over the application.

🟢

If Mitigated

With proper file upload validation and authentication controls, the vulnerability would be prevented entirely.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit available on GitHub demonstrates SMTP hijacking and account takeover via arbitrary file upload.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.sourcecodester.com/

Restart Required: No

Instructions:

No official patch available. Consider removing the software or implementing workarounds.

🔧 Temporary Workarounds

Disable Bulk Import Feature

linux

Remove or restrict access to /admin/core/import_users.php file

mv /path/to/admin/core/import_users.php /path/to/admin/core/import_users.php.disabled
chmod 000 /path/to/admin/core/import_users.php

Implement Web Application Firewall Rules

all

Block requests to import_users.php and restrict file uploads

🧯 If You Can't Patch

  • Remove the system from internet-facing networks immediately
  • Implement strict network segmentation and access controls to limit exposure

🔍 How to Verify

Check if Vulnerable:

Check if /admin/core/import_users.php exists and is accessible without authentication. Test with a simple file upload attempt.

Check Version:

Check software version in admin panel or configuration files

Verify Fix Applied:

Verify import_users.php is inaccessible or removed. Test authentication requirements for all admin functions.

📡 Detection & Monitoring

Log Indicators:

  • HTTP POST requests to /admin/core/import_users.php without authentication
  • File upload attempts with unusual extensions
  • Unauthorized admin account creation

Network Indicators:

  • Unusual traffic to import_users.php endpoint
  • File uploads to admin directory without authentication

SIEM Query:

source="web_logs" AND (uri="/admin/core/import_users.php" OR method="POST" AND uri CONTAINS "import_users") AND NOT user_agent="legitimate_bot"

📊 Metadata

CVE ID: CVE-2026-2983
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-266
Published: February 23, 2026
Last Updated: February 24, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-2983, you might also want to check these:

CVE-2026-23800 10.0

This vulnerability allows attackers to escalate privileges in Modular DS modular-connector WordPress...

Same vulnerability type (CWE-266)
CVE-2026-23550 10.0

This critical vulnerability in Modular DS allows attackers to escalate privileges due to incorrect p...

Same vulnerability type (CWE-266)
CVE-2025-41115 10.0

A critical vulnerability in Grafana's SCIM provisioning allows malicious SCIM clients to provision u...

Same vulnerability type (CWE-266)