Analyst readout for executives and security teams
Plain-English summary
CVE-2026-9485 is a cross-site scripting issue in SourceCodester Student Grades Management System 1.0. A low-privileged remote user can manipulate the Remarks field in students.php, potentially causing script execution when another user interacts with the affected page. Business risk is moderate because exploitation needs an account and user interaction, but a public exploit is reported.
Executive priority
Treat as a moderate web application risk. Prioritize remediation if the system contains student data, is internet-accessible, or allows broad user access. The public exploit signal raises urgency, but no active exploitation is documented in the provided sources.
Technical view
The source bundle describes improper handling of the Remarks argument in students.php, mapped to CWE-79 and CWE-94. CVSS 4.0 is 5.1 with AV:N, AC:L, PR:L, UI:P, and limited integrity impact. The affected product is SourceCodester Student Grades Management System 1.0. No vendor patch or fixed version is identified in the provided sources.
Likely exposure
Exposure appears limited to organizations running SourceCodester Student Grades Management System 1.0, especially where untrusted or lower-privileged users can enter or edit Remarks data and other users view it through students.php.
Exploitation context
The bundle says remote exploitation is possible and a public exploit is available. It does not show CISA KEV listing or confirmed active exploitation. CVSS indicates low attack complexity, low privileges required, and user interaction required.
Researcher notes
Evidence is source-bundle limited. VulDB reports the vulnerable file and parameter, public exploit availability, and CVSS details, but the affected function, patch status, and exploit-in-the-wild status are not established here. Avoid assuming impact beyond XSS-related integrity risk.
Mitigation direction
- Check SourceCodester and VulDB guidance for any vendor fix or advisory updates.
- Restrict access to the grades system to trusted authenticated users only.
- Apply output encoding and input validation for Remarks if maintaining the code internally.
- Review existing Remarks entries for unsafe script content.
- Monitor application logs for suspicious updates to student remarks.
Validation and detection
- Inventory deployments for Student Grades Management System version 1.0.
- Review students.php handling of the Remarks parameter and rendered output.
- Confirm whether low-privileged users can submit or edit Remarks values.
- Use a safe staging test to verify scripts cannot execute from Remarks.
- Check whether any public-facing instance exposes the affected workflow.
Public sources used
- CVE Program
- CVE List V5
- VDB-365466 | SourceCodester Student Grades Management System students.php cross site scripting
- VDB-365466 | CTI Indicators (IOB, IOC, TTP, IOA)
- Submit #814043 | SourceCodester Student Grades Management System 1.0 Cross Site Scripting
- Public vulnerability report repository
- SourceCodester
Based on public source material and reviewed before publication.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CWE-79: User-session and phishing behavior lookup
Client-side and session-facing weaknesses should be reviewed alongside initial-access and user-execution behaviors. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupCWE-94: Code execution behavior lookup
Code execution and unsafe deserialization weaknesses often justify reviewing execution behavior and process telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupCVE-2026-9485 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- Medium
- CVSS
- 5.1 (4.0)
- Known Exploited
- No
- Published
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
SSVC decision data
CVSS vector scores
4 official scoresWe collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P — — VulDB AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR 8 2.9 VulDB CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R 2.1 1.4 VulDB CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R 2.1 1.4 VulDB Vulnerability scoring details
Base CVSS 4.0 score
5.1 MediumVector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
Base CVSS 3.1 score
3.5 LowVector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R
Base CVSS 3.0 score
3.5 LowVector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R
Base CVSS 2.0 score
4 MediumVector: AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
- Source timeline VulDB
Advisory disclosed
- Source timeline VulDB
VulDB entry created
- CVE reserved CVE Program
The CVE ID was reserved by the assigning CNA.
- Source timeline VulDB
VulDB entry last update
- CVE published CVE Program
The CVE record was published.
- CVE updated CVE Program
The CVE record metadata indicates this as the latest update time.
ADP provider summaries
Source materials
- CVE List V5 source CVE List V5
- VDB-365466 | SourceCodester Student Grades Management System students.php cross site scripting CVE reference, VulDB · vdb-entry, technical-description
- VDB-365466 | CTI Indicators (IOB, IOC, TTP, IOA) CVE reference, VulDB · signature, permissions-required
- Submit #814043 | SourceCodester Student Grades Management System 1.0 Cross Site Scripting CVE reference, VulDB · third-party-advisory
- https://github.com/Jack-MRJ/Student-Grades-Management-System-Vulnerability-Report CVE reference, VulDB · exploit
- https://www.sourcecodester.com/ CVE reference, VulDB · product
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
Improper Neutralization of Input During Web Page Generation
Improper Neutralization of Input During Web Page Generation represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
CWE mapping pending import
This CVE carries a CWE mapping that will resolve to a full Glexia CWE intelligence page after the official CWE import is complete.