Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. Privilege Escalation via Role Manipulation in Online Exam LMS (CVE-2026-14719)
Privilege Escalation via Role Manipulation in Online Exam LMS (CVE-2026-14719)
SECURITYHIGHCVE-2026-14719

Privilege Escalation via Role Manipulation in Online Exam LMS (CVE-2026-14719)

A high-severity improper privilege management flaw in SourceCodester's Online Examination and Learning Management System 1.0 allows remote attackers to escalate their role during registration, potentially gaining administrator access.

Dylan H.

Security Team

July 5, 2026
3 min read

Affected Products

  • SourceCodester Online Examination & Learning Management System 1.0

Overview

A high-severity improper privilege management vulnerability has been disclosed in SourceCodester Online Examination & Learning Management System version 1.0. The flaw is found in the register.php registration endpoint, where manipulation of the role parameter allows a remote attacker to self-assign elevated privileges — including administrator-level access — during account creation.

Tracked as CVE-2026-14719 with a CVSS base score of 7.3 (High), this vulnerability is exploitable remotely without authentication, making it a critical risk in any internet-facing deployment of this software.

Technical Details

FieldDetails
CVE IDCVE-2026-14719
CVSS Score7.3 (High)
Attack VectorNetwork (Remote)
AuthenticationNone required
Affected Fileregister.php — Registration Endpoint
Vulnerable Parameterrole
Vulnerability TypeImproper Privilege Management (CWE-269)
VendorSourceCodester
Affected VersionOnline Examination & Learning Management System 1.0

The register.php endpoint accepts a role field from the client during user registration. The application fails to validate or restrict which role values a user may specify, allowing an attacker to set their role to admin or any other privileged designation. Once the account is created with an elevated role, the attacker can log in and access the full administrative interface.

Impact

Successful exploitation allows an attacker to:

  • Create administrator accounts without any prior access or credentials
  • Access the admin dashboard, including student records, exam questions, grades, and user management
  • Modify or delete exam content — creating academic integrity risks in educational deployments
  • Exfiltrate student PII — names, email addresses, exam scores, and potentially payment data
  • Disable or lock out legitimate users by altering account states from the admin panel
  • Pivot to further attacks — using admin credentials to probe connected systems or escalate to server access

In an educational context, this vulnerability threatens the integrity of examinations, student privacy, and institutional data.

Proof of Concept

An attacker can register with an elevated role by tampering with the POST body sent to register.php:

POST /register.php HTTP/1.1
Host: target.example.com
Content-Type: application/x-www-form-urlencoded
 
username=attacker&password=secret&email=attacker@evil.com&role=admin

If the server-side code performs no validation on the role field before inserting into the database, the attacker account is created with admin privileges. The attacker can then authenticate normally and access admin-only features.

Remediation

  1. Server-side role enforcement — Never trust client-supplied role values. Remove the role parameter from the registration form entirely, or enforce a server-side whitelist where new registrations are always assigned the lowest-privilege role (e.g., student).
  2. Role assignment via admin workflow — Privilege elevation should require an existing administrator to explicitly grant elevated roles through a protected interface.
  3. Input validation — If a role parameter must be accepted, validate it against a strict enum of allowed public values and reject any others with an HTTP 400 error.
  4. Audit existing accounts — Any deployment of this software should immediately audit the role column in the users table for any accounts with unexpected admin privileges.
  5. Implement access controls — Use a proper RBAC (Role-Based Access Control) framework and validate permissions server-side on every privileged request, not just at login.

References

  • NVD — CVE-2026-14719
  • CWE-269: Improper Privilege Management
  • OWASP Broken Access Control
#CVE-2026-14719#Privilege Escalation#SourceCodester#LMS#Web Security#PHP#Access Control

Related Articles

CVE-2026-14652: SQL Injection in SourceCodester Shopping Cart Admin Login

A high-severity SQL injection vulnerability in SourceCodester Simple and Nice Shopping Cart Script 1.0 allows remote attackers to manipulate the admin login endpoint via an unsanitized Username parameter.

3 min read

CVE-2026-14653: SQL Injection in Shopping Cart Men's Product Delete Endpoint

A high-severity SQL injection flaw in SourceCodester Simple and Nice Shopping Cart Script 1.0 exposes the men's product delete query to remote exploitation via an unsanitized user_id parameter.

3 min read

CVE-2026-14654: SQL Injection in Shopping Cart Girls Product Delete Endpoint

A high-severity SQL injection vulnerability in SourceCodester Simple and Nice Shopping Cart Script 1.0 allows remote attackers to exploit the girls product delete query via an unsanitized user_id parameter.

3 min read
Back to all Security Alerts