Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-14777

CVE-2026-14777: SourceCodester LMS RCE Vulnerability

CVE-2026-14777 is a remote code execution vulnerability in SourceCodester Online Examination & Learning Management System 1.0 caused by unrestricted file upload in /announcements.php. This article covers technical details, impact, and mitigation.

Published:

CVE-2026-14777 Overview

CVE-2026-14777 is an unrestricted file upload vulnerability in SourceCodester Online Examination & Learning Management System 1.0. The flaw resides in unspecified functionality within the /announcements.php file. Attackers can exploit the weakness remotely over the network with low-privileged authenticated access. A public exploit is available, increasing the likelihood of opportunistic attacks against exposed instances. The issue is tracked under CWE-284: Improper Access Control. The vendor's product name contains a typo ("Onlne") in the original advisory, which practitioners should note when searching for affected assets.

Critical Impact

Authenticated remote attackers can upload arbitrary files through /announcements.php, potentially placing malicious content on the server hosting the learning management system.

Affected Products

  • SourceCodester Online Examination & Learning Management System 1.0
  • The /announcements.php endpoint within the application
  • Deployments exposing the affected endpoint to untrusted networks

Discovery Timeline

  • 2026-07-06 - CVE-2026-14777 published to NVD
  • 2026-07-06 - Last updated in NVD database

Technical Details for CVE-2026-14777

Vulnerability Analysis

The vulnerability stems from improper access control on file upload handling in /announcements.php. The application accepts uploaded content without adequately restricting file types, extensions, or the destination path. This category of flaw maps to CWE-284: Improper Access Control and enables attackers to place arbitrary files onto the server. The confidentiality, integrity, and availability impacts are each rated Low under CVSS 4.0, reflecting limited scope in the base metrics. However, the presence of a public proof of concept elevates operational risk for internet-exposed deployments. The EPSS metric places the vulnerability in the 11.6 percentile at time of publication, indicating limited but non-zero exploitation likelihood.

Root Cause

The root cause is missing or insufficient authorization and file-type validation on the announcement upload workflow. The endpoint permits users with low privileges to submit file uploads that the application does not properly restrict. Without extension allow-lists, MIME validation, or content inspection, the endpoint accepts server-executable or otherwise dangerous content.

Attack Vector

An attacker authenticates to the application with any low-privileged account and issues a crafted HTTP POST request to /announcements.php. The request includes a multipart upload containing a file the attacker controls. Because the endpoint does not enforce access control or filter uploads, the file is written to a location that may be reachable through the web server. Public exploit material is referenced in the GitHub Announcement Document and cataloged on VulDB.

No verified code examples are available. Refer to the linked advisory for reproduction details.

Detection Methods for CVE-2026-14777

Indicators of Compromise

  • Unexpected files with executable extensions (.php, .phtml, .phar) appearing in directories writable by the web server after requests to /announcements.php.
  • HTTP POST requests to /announcements.php containing multipart/form-data payloads from low-privileged user sessions.
  • Web server processes spawning shell interpreters or outbound network connections following announcement uploads.

Detection Strategies

  • Inspect web access logs for POST requests to /announcements.php correlated with subsequent GET requests to uncommon filenames under upload directories.
  • Deploy file integrity monitoring on application upload directories to detect new files that were not created through legitimate administrative workflows.
  • Alert on web server user contexts executing scripting engines or spawning child processes not tied to normal request handling.

Monitoring Recommendations

  • Forward web server, application, and host telemetry to a centralized analytics platform to correlate upload events with post-upload access and process creation.
  • Track authentication events for the learning management system and flag accounts that generate atypical upload volume against /announcements.php.
  • Maintain baselines of files under application upload paths and review deviations daily.

How to Mitigate CVE-2026-14777

Immediate Actions Required

  • Restrict network access to the affected application until a fix is applied, limiting exposure to trusted networks or VPN-authenticated users.
  • Disable or remove access to /announcements.php if the feature is not required in production.
  • Audit application upload directories for unexpected files and remove any content that cannot be tied to legitimate administrator activity.
  • Rotate credentials for accounts that had access to the application prior to remediation.

Patch Information

No vendor patch is referenced in the public advisory data at the time of publication. Consult the VulDB entry for CVE-2026-14777 and the SourceCodester project site for updates. Organizations running this application should treat it as unpatched and apply compensating controls.

Workarounds

  • Place the application behind a reverse proxy or web application firewall that blocks POSTs to /announcements.php from non-administrative sources.
  • Configure the web server to disallow execution of scripts within upload directories using directives such as denying handler mappings for PHP files under those paths.
  • Enforce an extension allow-list at the proxy or application layer that permits only benign document formats required by the announcement feature.
  • Require multi-factor authentication for all accounts to raise the cost of obtaining the low-privileged access needed for exploitation.
bash
# Example Apache configuration to prevent script execution in an uploads directory
<Directory "/var/www/oe-lms/uploads">
    php_flag engine off
    RemoveHandler .php .phtml .phar
    RemoveType .php .phtml .phar
    Options -ExecCGI
</Directory>

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.