What happened
CVE-2026-12176 was published by NVD on June 14, 2026 (CVSS 4.3 MEDIUM). The SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0 contains a reflected cross-site scripting vulnerability in the /index.php endpoint. Manipulation of the 'action' argument allows remote attackers to inject and execute arbitrary JavaScript in the victim's browser. The attack is remotely exploitable and was reported via VulDB.
Why it matters
This product markets itself as an AI-powered grading and predictive analytics system. Reflected XSS allows an attacker to craft a malicious link targeting instructors or administrators, steal session credentials, and gain access to AI-generated student performance analytics or grade records. The impact is limited by the niche deployment footprint (single-version educational software from SourceCodester) and the lack of known exploitation.
Attack vector
Remote attacker crafts a malicious URL with injected script in the 'action' parameter of /index.php; victim (e.g., instructor) clicks the link and the script executes in their browser session
Affected systems
SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0
Mitigation
No patch available as of disclosure. Avoid exposing the application publicly; apply WAF rules to block script injection in the action parameter. VulDB reference: https://vuldb.com/cve/CVE-2026-12176