Analyst readout for executives and security teams
Plain-English summary
CVE-2026-9486 is a cross-site request forgery issue in SourceCodester Student Grades Management System 1.0. An attacker could trick a logged-in user into performing an unintended action in the application. Business impact is mainly integrity risk, such as unauthorized changes, not system takeover based on the provided CVSS data.
Executive priority
Treat this as a moderate-priority integrity issue. Prioritize if the system is used for real student records or exposed beyond a trusted internal network. There is public exploit material, but no confirmed active exploitation in the supplied sources.
Technical view
The CVE describes CSRF affecting an unknown component of SourceCodester Student Grades Management System 1.0, mapped to CWE-352 and CWE-862. CVSS 4.0 is 5.3: network reachable, low complexity, no attacker privileges, user interaction required, and low victim integrity impact. No affected endpoint or vendor fix is identified in the bundle.
Likely exposure
Exposure appears limited to organizations running SourceCodester Student Grades Management System 1.0. Risk is higher where authenticated staff or administrator browser sessions can reach the application and the application is internet-accessible or reachable from less-trusted networks.
Exploitation context
The source bundle says a public exploit exists, but KEV is false and no cited source establishes active exploitation. The attack requires user interaction, likely by inducing an authenticated user to trigger an unintended state-changing request.
Researcher notes
Evidence is incomplete: the affected component is listed as unknown, and no vendor patch is named. Validate with authorized testing only, focusing on CSRF controls and missing authorization around sensitive actions without reproducing public exploit steps.
Mitigation direction
- Check SourceCodester or project maintainer guidance for an update, patch, or official workaround.
- Restrict access to the application to trusted networks while remediation guidance is reviewed.
- Review sensitive state-changing workflows for anti-CSRF protections and authorization checks.
- Require users to sign out after use and avoid browsing untrusted sites during active sessions.
Validation and detection
- Inventory whether SourceCodester Student Grades Management System 1.0 is deployed.
- Confirm whether the application is reachable from the internet or untrusted networks.
- Review state-changing forms and requests for per-request CSRF protection.
- Check audit records for unexpected grade or account changes after May 25, 2026.
Public sources used
Based on public source material and reviewed before publication.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CWE-352: User-session and phishing behavior lookup
Client-side and session-facing weaknesses should be reviewed alongside initial-access and user-execution behaviors. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupCWE-862: Authorization and privilege behavior lookup
Authorization weaknesses can support privilege escalation and valid-account review, depending on exploit path. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupCVE-2026-9486 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- Medium
- CVSS
- 5.3 (4.0)
- Known Exploited
- No
- Published
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
SSVC decision data
CVSS vector scores
4 official scoresWe collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P — — VulDB AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR 10 2.9 VulDB CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R 2.8 1.4 VulDB CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R 2.8 1.4 VulDB Vulnerability scoring details
Base CVSS 4.0 score
5.3 MediumVector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
Base CVSS 3.1 score
4.3 MediumVector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R
Base CVSS 3.0 score
4.3 MediumVector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R
Base CVSS 2.0 score
5 MediumVector: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
- Source timeline VulDB
Advisory disclosed
- Source timeline VulDB
VulDB entry created
- CVE reserved CVE Program
The CVE ID was reserved by the assigning CNA.
- Source timeline VulDB
VulDB entry last update
- CVE published CVE Program
The CVE record was published.
- CVE updated CVE Program
The CVE record metadata indicates this as the latest update time.
ADP provider summaries
Source materials
- CVE List V5 source CVE List V5
- VDB-365467 | SourceCodester Student Grades Management System cross-site request forgery CVE reference, VulDB · vdb-entry
- VDB-365467 | CTI Indicators (IOB, IOC) CVE reference, VulDB · signature, permissions-required
- Submit #814044 | SourceCodester Student Grades Management System 1.0 Cross-Site Request Forgery CVE reference, VulDB · third-party-advisory
- https://github.com/Jack-MRJ/Student-Grades-Management-System-Vulnerability-Report CVE reference, VulDB · exploit
- https://www.sourcecodester.com/ CVE reference, VulDB · product
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
Cross-Site Request Forgery (CSRF)
Cross-Site Request Forgery (CSRF) represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
Missing Authorization
Missing Authorization represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.