Analyst readout for executives and security teams
Plain-English summary
CVE-2026-9582 is a cross-site request forgery issue in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0. A victim must interact with attacker-controlled content. Impact is limited integrity change, but public exploit material is referenced, so exposed deployments should be reviewed promptly.
Executive priority
Treat this as a moderate, time-bounded remediation item. It is not listed as known exploited in KEV, but public exploit material raises practical risk for any live deployment. Prioritize confirmation of exposure and vendor guidance before broader remediation work.
Technical view
The bundle identifies CWE-352 and CWE-862 affecting an unknown function in version 1.0. CVSS 4.0 is 5.3, network attack vector, low complexity, no privileges, user interaction required, and low victim integrity impact. No affected endpoint, patch, or vendor mitigation is specified.
Likely exposure
Exposure appears limited to organizations running SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0. The bundle does not support extending impact to other SourceCodester products. Because the affected function is unknown, exact route-level exposure cannot be confirmed from the supplied sources.
Exploitation context
The source bundle states public exploit material exists and may be used for attacks. It does not show CISA KEV listing or confirmed active exploitation. The attack is remote but requires user interaction, consistent with CSRF risk against authenticated users.
Researcher notes
The record lacks affected function details, patch status, and vendor remediation text. Public exploit references exist, but this analysis avoids payload details. Confidence is limited by the sparse advisory content and reliance on VulDB/CVE metadata for scope and severity.
Mitigation direction
- Check SourceCodester and VulDB guidance for an official patch or workaround.
- Identify and isolate any deployed version 1.0 instances.
- Limit access to administrative or grading workflows to trusted networks where possible.
- Review forms and state-changing routes for CSRF protection and authorization checks.
- Monitor application logs for unexpected authenticated state changes.
Validation and detection
- Confirm whether version 1.0 is deployed in production or test environments.
- Inventory public and internal routes for the affected application.
- Verify state-changing requests require anti-CSRF controls.
- Verify sensitive actions enforce server-side authorization.
- Review user reports or logs for suspicious grading or configuration changes.
Public sources used
Based on public source material and reviewed before publication.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CWE-352: User-session and phishing behavior lookup
Client-side and session-facing weaknesses should be reviewed alongside initial-access and user-execution behaviors. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupCWE-862: Authorization and privilege behavior lookup
Authorization weaknesses can support privilege escalation and valid-account review, depending on exploit path. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupCVE-2026-9582 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- Medium
- CVSS
- 5.3 (4.0)
- Known Exploited
- No
- Published
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
SSVC decision data
CVSS vector scores
4 official scoresWe collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P — — VulDB AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR 10 2.9 VulDB CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R 2.8 1.4 VulDB CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R 2.8 1.4 VulDB Vulnerability scoring details
Base CVSS 4.0 score
5.3 MediumVector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
Base CVSS 3.1 score
4.3 MediumVector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R
Base CVSS 3.0 score
4.3 MediumVector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R
Base CVSS 2.0 score
5 MediumVector: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
- Source timeline VulDB
Advisory disclosed
- Source timeline VulDB
VulDB entry created
- CVE reserved CVE Program
The CVE ID was reserved by the assigning CNA.
- Source timeline VulDB
VulDB entry last update
- CVE published CVE Program
The CVE record was published.
- CVE updated CVE Program
The CVE record metadata indicates this as the latest update time.
ADP provider summaries
Source materials
- CVE List V5 source CVE List V5
- VDB-365638 | SourceCodester CET Automated Grading System with AI Predictive Analytics cross-site request forgery CVE reference, VulDB · vdb-entry
- VDB-365638 | CTI Indicators (IOB, IOC) CVE reference, VulDB · signature, permissions-required
- Submit #817930 | SourceCodester CET Automated Grading System with AI Predictive Analytics in PHP and MySQL 1.0 Cross Site Request Forgery CVE reference, VulDB · third-party-advisory
- https://github.com/NARKHEDE-VAIBHAV/poc/blob/main/CVE-2026-9582-Cross-Site-Request-Forgery/Advisory.md CVE reference, VulDB · exploit
- https://github.com/NARKHEDE-VAIBHAV/poc/blob/main/CVE-2026-9582-Cross-Site-Request-Forgery/poc.html CVE reference, VulDB · exploit
- https://www.sourcecodester.com/ CVE reference, VulDB · product
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
Cross-Site Request Forgery (CSRF)
Cross-Site Request Forgery (CSRF) represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
Missing Authorization
Missing Authorization represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.