CVE-2026-11552: Hard-Coded Password Authentication Bypass in SourceCodester LMS 1.0
A remote authentication bypass vulnerability exists in SourceCodester's Online Examination & Learning Management System (also marketed under an alternate name, Syllabus-aligned Learning Management and Examination System) version 1.0. An unauthenticated attacker can manipulate a password parameter in the user import function to trigger use of a hard-coded credential, gaining unauthorized access without valid authentication. The vulnerability requires no user interaction and can be exploited from the network. Public exploit details are available.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-255, CWE-259
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-08 / 2026-06-17
NVD description (verbatim)
A vulnerability has been found in SourceCodester Onlne Examination & Learning Management System and Syllabus-aligned Learning Management and Examination System 1.0. Affected by this issue is some unknown functionality of the file import_users.php. The manipulation of the argument raw_password with the input CICT_2026 leads to use of hard-coded password. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. This product is distributed under two entirely different names.
5 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11552 is a hard-coded password vulnerability (CWE-255, CWE-259) affecting the import_users.php endpoint in SourceCodester LMS 1.0. The flaw allows remote, unauthenticated attackers to bypass authentication by supplying a specific input value (CICT_2026) in the raw_password parameter, which causes the application to use an embedded credential instead of validating the provided password. The attack vector is network-based with low attack complexity and no privilege requirements.
Business impact
Compromise of a learning management system exposes institutional risk across multiple vectors. Attackers gaining administrative access via this vulnerability could read sensitive student records and academic data (FERPA/GDPR concern), modify grades and course content, inject malicious material into course materials, and establish persistent backdoor access for follow-on attacks. For educational institutions or organizations using this LMS, the reputational damage and potential regulatory liability are substantial, particularly if student or employee personally identifiable information is exfiltrated.
Affected systems
SourceCodester Online Examination & Learning Management System version 1.0 is confirmed affected. The same codebase is also distributed under the name Syllabus-aligned Learning Management and Examination System version 1.0. Organizations using either product variant should treat both as vulnerable. No other versions have been assessed in the available vulnerability record.
Exploitability
This vulnerability is readily exploitable. No authentication is required, attack complexity is low, and the exploit has been publicly disclosed. An attacker with network access to the import_users.php endpoint can attempt exploitation using standard HTTP requests. The simplicity of the manipulation (parameter-based input) and lack of user interaction requirements mean that automated scanning and exploitation tools are likely already in circulation. The window for opportunistic attacks is active.
Remediation
Immediate patching is required. Verify the availability of a security update from SourceCodester that removes hard-coded credentials and implements proper authentication validation for the user import function. Until a patch is available and deployed, restrict network access to the import_users.php endpoint using firewall rules or application firewalls, disable the user import feature if not actively required, and rotate all administrative credentials associated with the LMS to limit damage if compromise has already occurred. Audit access logs for signs of exploitation.
Patch guidance
Contact SourceCodester or consult their security advisory page for the latest patch version addressing this vulnerability (verify against vendor documentation, as specific version numbers were not provided in the initial disclosure). Test patches in a staging environment before production deployment. Given that public exploits are available, patching should be prioritized with urgency. If the vendor has not yet released a patch, escalate to their support team with CVE-2026-11552 and request an expected timeline.
Detection guidance
Monitor for POST or GET requests to import_users.php with the raw_password parameter set to CICT_2026 or similar hard-coded values. Implement web application firewall (WAF) rules to block requests containing this specific string in the password field. Review server and application logs for successful imports or user creation events that lack corresponding admin authentication sessions. Monitor user account creation events in the LMS for accounts created outside normal administrative workflows. Enable detailed logging on the import_users.php endpoint and correlate with failed versus successful authentication attempts.
Why prioritize this
Although the CVSS score is 5.3 (Medium), this vulnerability warrants above-baseline urgency because it is a network-accessible authentication bypass with public exploit code in an educational software product that handles sensitive personal data. The combination of low exploitation barriers, confirmed public disclosure, and the sensitivity of information managed by LMS systems elevates real-world risk despite the medium base score. Organizations running this software should treat this as a near-critical remediation target given the institutional data exposure and compliance implications.
Risk score, explained
The CVSS 3.1 score of 5.3 reflects a network-accessible vulnerability (AV:N) with low attack complexity (AC:L), no authentication requirement (PR:N), no user interaction (UI:N), and an isolated scope (S:U). The impact is limited to confidentiality (C:L) with no integrity or availability impact (I:N, A:N), which accounts for the Medium severity rating. However, this baseline score does not fully capture institutional and regulatory risk inherent in compromising a system that stores educational records, grades, and student personal information. Security teams should apply organizational risk context beyond the numerical score.
Frequently asked questions
Does this vulnerability allow an attacker to execute arbitrary code or crash the system?
No. This vulnerability is confined to authentication bypass—it permits unauthorized access to the user import function and potentially the administrative interface. The impact is limited to information disclosure and account manipulation. Remote code execution and denial of service are not attributed to this CVE.
If we are not actively using the user import feature, are we still at risk?
If the endpoint exists and is accessible on your network, yes. An attacker does not need to know or care whether your organization actively uses the import feature; they can trigger it remotely. Disabling or removing the endpoint entirely, or restricting access via firewall rules, eliminates this specific attack surface even before a patch is available.
Should we rotate all passwords across our LMS after discovering this vulnerability?
Yes, if there is any indication of unauthorized access or if the system has been live on an untrusted network. A compromise of the LMS administrative account could allow an attacker to have issued themselves additional credentials or maintained persistent access. A complete credential rotation, combined with a thorough log audit, is warranted as a defensive measure.
The vulnerability mentions the product is sold under two names. Does that mean we are not affected if we own only one variant?
No. The Online Examination & Learning Management System and the Syllabus-aligned Learning Management and Examination System version 1.0 are the same underlying codebase. If you are running either product at version 1.0, you are exposed to this vulnerability. Verify your product name and version against the CVE advisory and apply the same remediation.
This analysis is provided for informational purposes to assist security professionals in vulnerability assessment and remediation planning. While we have drawn on available CVE data and public disclosures, we have not independently verified all technical claims or tested the vulnerability ourselves. Organizations should verify patch availability and compatibility directly with SourceCodester before deployment. This page is not a substitute for the vendor's official security advisory. Organizational risk assessments should account for local data sensitivity, regulatory requirements, and network architecture in addition to the CVSS score. If you believe your system has been compromised, engage incident response resources and law enforcement as appropriate for your jurisdiction. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-11515MEDIUMHard-Coded Password in Barangay Resident System 1.0
- CVE-2026-22054HIGHHard-Coded Credentials in NetApp Active IQ Config Advisor 6.7.3
- CVE-2026-22055HIGHNetApp Active IQ OneCollect Hard-Coded Credentials (CVSS 8.8)
- CVE-2016-20064MEDIUMWP Vault 0.8.6.6 Arbitrary File Read via Directory Traversal
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2018-25387MEDIUMHaPe PKH 1.1 Cross-Site Request Forgery (CSRF) Admin Password Reset
- CVE-2018-25393MEDIUMNavigate CMS 2.8.5 Path Traversal Vulnerability (CVSS 6.5)
- CVE-2018-25397MEDIUMCSRF Vulnerability in PHP-SHOP 1.0 – Admin Account Injection