LOW 3.3

CVE-2026-10295: Denial of Service in SourceCodester Customer Review App 1.0

CVE-2026-10295 is a low-severity denial-of-service vulnerability in SourceCodester Customer Review App version 1.0. By manipulating the 'name' or 'comment' parameters in the review submission functions, an attacker with local access can crash or degrade the application's availability. While an exploit has been published, the attack surface is limited because local authentication is required—this is not a remote vulnerability that can be exploited from the internet.

Source data · NVD / CISA · public domain

CVSS
3.1 · 3.3 LOW · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Weaknesses (CWE)
CWE-404
Affected products
0 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

A vulnerability was found in SourceCodester Customer Review App 1.0. Affected by this vulnerability is the function add_review/save_review/get_all_reviews of the file review_app.py. Performing a manipulation of the argument name/comment results in denial of service. The attack requires a local approach. The exploit has been made public and could be used.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in the review_app.py file, specifically within the add_review, save_review, and get_all_reviews functions. Improper validation or sanitization of the 'name' and 'comment' input fields allows a locally-authenticated attacker to supply malformed or excessively large input, triggering an unhandled exception or resource exhaustion that results in denial of service. The issue is classified as CWE-404 (Unimplemented or Incomplete Feature in API), indicating missing input validation mechanisms.

Business impact

The primary impact is application unavailability. If the Customer Review App is part of a customer-facing or internal business process, successful exploitation could interrupt service, degrade user experience, and potentially affect revenue-dependent workflows. However, because the attack requires local system access and valid authentication credentials, the risk is confined to insider threats or compromised local accounts rather than external attackers.

Affected systems

SourceCodester Customer Review App version 1.0 is confirmed vulnerable. Organizations running this application in production should audit their deployment scope and user access controls. No vendor patch status or fixed version information is currently available from this CVE record; contact the vendor or check their advisory for remediation guidance.

Exploitability

The exploit code is public, lowering the barrier for any local user to reproduce the attack. However, the requirement for local access and authenticated credentials significantly restricts exploitability. This is not a zero-click, remote, or unauthenticated vulnerability. The CVSS score of 3.3 (LOW) reflects this limited exposure; the attack vector is 'Local' and privileges are required.

Remediation

First, assess whether the Customer Review App is essential to your operations and whether it is exposed to untrusted users. If the application is no longer needed, uninstall it. If retention is necessary, immediately apply any available vendor patches. In the interim, restrict local system access through operating-system-level access controls, disable local login for non-administrative users where feasible, and monitor for suspicious activity on systems running the application.

Patch guidance

Check SourceCodester's official website or security advisories for a patched version of the Customer Review App. If no patch is available, work with the vendor to obtain an estimated timeline. Until a patch is released, mitigate via network segmentation and access controls. Test any patch in a non-production environment before deploying to production systems.

Detection guidance

Monitor application logs for unusual input patterns in the name/comment fields—look for oversized strings, null bytes, special characters, or repeated failed submissions. System-level monitoring should capture application crashes or service interruptions correlated with specific user actions. Check for any error messages or stack traces referencing review_app.py. If possible, enable input validation logging on the application to detect attack attempts.

Why prioritize this

Although the CVSS score is low, prioritize this vulnerability if you operate the Customer Review App in a shared or multi-user environment, or if local account compromise is a realistic threat in your threat model. For organizations where the app is isolated or runs in a single-user context, this can be lower priority but should still be tracked for eventual patching. Not on CISA's Known Exploited Vulnerabilities (KEV) list, but public exploit availability means attackers have reduced barriers to exploitation.

Risk score, explained

The CVSS 3.1 score of 3.3 reflects a low-severity impact: local access only (AV:L), low complexity (AC:L), low privilege requirement (PR:L), no user interaction needed (UI:N), and only availability impact (A:L). The lack of confidentiality or integrity impact and the requirement for local authentication prevent a higher score. Organizations should weigh this against their specific risk tolerance and the sensitivity of data processed by the app.

Frequently asked questions

Can this vulnerability be exploited remotely?

No. The CVSS vector specifies AV:L (Attack Vector: Local), meaning the attacker must have local access to the system running the application and valid authentication credentials. This is not a remote code execution or remote denial-of-service vulnerability.

Is there a patch available?

No patch version or release information is recorded in this CVE. Contact SourceCodester directly or monitor their official channels for security updates. Your vendor advisory or support portal is the authoritative source.

Why is the severity low if an exploit is public?

Public exploit availability increases risk for organizations that actually run the vulnerable software, but CVSS measures intrinsic properties of the vulnerability itself—in this case, the limited attack surface (local access required), restricted impact (denial of service only), and authentication requirement. Severity reflects technical characteristics, not exploit availability.

What should I do if I use this application?

First, verify your version is 1.0 and confirm the app is necessary. Check SourceCodester for available patches. Restrict local user access, monitor for suspicious input patterns, and consider isolating the application on a dedicated system if possible. If an alternative application exists, evaluate migration as a long-term solution.

This analysis is based on the CVE record and publicly available information as of the publication date. Vendor patch status, version numbering, and availability may have changed since this CVE was published. Organizations should verify all technical details against official vendor advisories and test any patches in a controlled environment before deployment. SEC.co does not provide guarantee of accuracy for information obtained from third-party sources and recommends consulting your vendor's security contact for definitive guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).