CVE-2026-10168: Improper Resource Control in OUSL-GROUP-BrinaryBrains Student Management System
A vulnerability in OUSL-GROUP-BrinaryBrains School Student Management System allows authenticated users to manipulate resource identifiers through the marks function in the Parents.php controller, potentially exposing or modifying student data. An attacker with login credentials can exploit this remotely by injecting malicious parameters, affecting the confidentiality and integrity of educational records. Public disclosure has occurred, increasing real-world exploitation risk.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-99
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-31 / 2026-06-17
NVD description (verbatim)
A security vulnerability has been detected in OUSL-GROUP-BrinaryBrains School Student Management System up to 1e70e5ad1125b86dca4ee086eb6bb121f17708b6. Affected is the function marks of the file application/controllers/Parents.php. The manipulation of the argument param1 leads to improper control of resource identifiers. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10168 is a CWE-99 (Improper Control of Resource Identifiers) vulnerability in the marks() function within application/controllers/Parents.php. The vulnerability stems from insufficient validation of the param1 argument, allowing parameter manipulation. An authenticated remote attacker can craft requests that bypass intended access controls on resource identifiers, potentially viewing or modifying records belonging to other students or parents. The system uses continuous delivery with rolling releases, making version tracking difficult. CVSS 3.1 rating is 6.3 (MEDIUM) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L, reflecting network accessibility, low attack complexity, and requirement for prior authentication.
Business impact
For school deployments, this vulnerability creates operational and compliance risk. Student grades, attendance, and parental communications—sensitive Personal Identifiable Information (PII)—may be exposed or altered by authenticated attackers. Schools face potential liability under FERPA (Family Educational Rights and Privacy Act) if unauthorized disclosure occurs. Unauthorized modification of academic records could harm student transcripts and institutional records integrity. Reputational damage and loss of parent trust follows public breach disclosure. The continuous delivery model means affected instances may span many deployment points without clear version boundaries, complicating scope assessment.
Affected systems
OUSL-GROUP-BrinaryBrains School Student Management System is affected up to commit 1e70e5ad1125b86dca4ee086eb6bb121f17708b6. Because the product uses continuous delivery with rolling releases, specific version numbers are not available. All active deployments of this system should be considered potentially affected unless patched. The vulnerability requires an authenticated user account (parent, staff, or admin login), so external unauthenticated attacks are not possible. Organizations running this system should audit all instances regardless of purported version.
Exploitability
Public disclosure has occurred, making exploit techniques and payload construction known to threat actors. The attack requires valid credentials (authentication is required per CVSS vector), limiting the immediate attack surface to users with legitimate access—parents, teachers, or administrators. However, credential compromise, insider threats, or shared accounts increase practical exploitability. Attack complexity is low; no special tooling or race conditions are needed. A malicious insider or compromised account holder can trivially exploit by crafting HTTP requests with modified param1 values to access unauthorized records. The lack of vendor response since early notification increases window of exposure.
Remediation
Apply security updates from OUSL-GROUP-BrinaryBrains when released. Because the vendor has not yet responded to early notification and no public patches are available as of the last modification date (2026-06-17), immediate patching is not an option. Implement compensating controls: enforce strong password policies and multi-factor authentication to reduce credential compromise risk; apply principle of least privilege (limit parent accounts to their own records only); audit and restrict database query permissions at the application layer; implement detailed logging of access to student records; conduct a retrospective audit of the marks function to identify unauthorized access. Consider disabling or restricting the marks feature if possible until patches are available. Escalate to the vendor for urgent patch availability and timeline.
Patch guidance
No vendor-released patches are currently available due to the vendor's unresponsive status. Verify the latest release from OUSL-GROUP-BrinaryBrains official repository or advisory channels. Once patches are published, update immediately, prioritizing this as a critical security task given the sensitive nature of educational data. For rolling-release deployments, ensure your continuous integration/deployment pipeline validates security commits and does not automatically pull unverified updates. After patching, re-test the marks function with both authorized and unauthorized user accounts to confirm parameter validation has been implemented.
Detection guidance
Monitor application logs for suspicious parameter patterns in requests to application/controllers/Parents.php (marks function). Look for param1 values that reference student IDs or resources not owned by the authenticated user. Enable detailed HTTP request logging at the web server and application level. Search for sequences of requests where a single parent account accesses or modifies records belonging to multiple students. Database query logging can reveal unauthorized SELECT or UPDATE statements on student records initiated by the Parents module. Implement alerting on repeated 403 (Forbidden) responses followed by successful access to unintended records—a potential sign of parameter enumeration. Review access control logs for any marks modifications outside the expected user's scope.
Why prioritize this
Although CVSS 6.3 is MEDIUM severity, prioritize this issue because: (1) student data is regulated by FERPA and other privacy laws, creating compliance liability; (2) public disclosure increases exploitation likelihood; (3) the vendor is unresponsive, leaving organizations without a clear remediation path; (4) educational institutions are attractive targets for data theft and ransom; (5) the vulnerability affects data integrity (student grades), with long-term consequences for victims. Schools should treat this as HIGH priority internally despite the MEDIUM CVSS score.
Risk score, explained
CVSS 3.1 score of 6.3 reflects the required authentication (PR:L), network-based attack vector (AV:N), and low attack complexity (AC:L). The score assumes a single user session and isolated impact (S:U). However, context elevates practical risk: sensitive PII, regulatory exposure, vendor unresponsiveness, and public disclosure shift the operational risk profile higher than the numeric CVSS suggests. Use CVSS as a technical baseline, not the sole priority driver for educational institutions.
Frequently asked questions
What does 'improper control of resource identifiers' mean in this context?
The marks function fails to validate that the authenticated user owns or has permission to access the resource (a student record) they're requesting. By manipulating param1, an attacker can specify another student's ID and potentially view or modify their grades. The application trusts the parameter without confirming authorization.
Do I need valid credentials to exploit this vulnerability?
Yes. The CVSS vector (PR:L) indicates the attack requires a login (low privilege). A parent, teacher, or admin account is necessary. However, stolen credentials, shared accounts, or malicious insiders make this a practical threat in educational environments.
Why hasn't the vendor released a patch yet?
The vendor was informed early through an issue report but has not responded as of the modification date (2026-06-17). This unresponsiveness is unusual and concerning. Reach out directly to the vendor and escalate through support channels. In the meantime, implement compensating controls like stricter access policies and monitoring.
Are schools required to disclose this if they discover unauthorized access via this vulnerability?
Possibly, depending on jurisdiction. FERPA requires notification if student data confidentiality or integrity is compromised. State breach notification laws may also apply. Consult your legal and privacy teams immediately if you discover exploitation. Document your detection and response efforts carefully.
This analysis is based on available CVE data as of 2026-06-17. No official patches are currently available; verify against OUSL-GROUP-BrinaryBrains' official advisory and repository. CVSS scores are technical risk indicators and do not replace organizational risk assessment. Educational institutions should consult legal and compliance teams regarding FERPA obligations and breach notification requirements. Exploitation attempts should be reported to relevant authorities and the vendor. SEC.co does not provide legal advice; this analysis is for informational purposes only. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-10624MEDIUMSourceCodester HRM Employee Data Exposure Vulnerability
- CVE-2026-10299LOWOnline Hospital Management System Resource Identifier Control Vulnerability
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2018-25387MEDIUMHaPe PKH 1.1 Cross-Site Request Forgery (CSRF) Admin Password Reset
- CVE-2018-25393MEDIUMNavigate CMS 2.8.5 Path Traversal Vulnerability (CVSS 6.5)
- CVE-2018-25397MEDIUMCSRF Vulnerability in PHP-SHOP 1.0 – Admin Account Injection
- CVE-2018-25421MEDIUMOpen STA Manager 2.3 Path Traversal File Download Vulnerability
- CVE-2018-25423MEDIUMBuffer Overflow Denial of Service in Arm Whois 3.11