Sourcecodester
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Sourcecodester product.
RSS Feeds for Sourcecodester security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Sourcecodester products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Sourcecodester Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2026 there have been 210 vulnerabilities in Sourcecodester with an average score of 5.8 out of ten. Last year, in 2025 Sourcecodester had 132 security vulnerabilities published. That is, 78 more vulnerabilities have already been reported in 2026 as compared to last year. Last year, the average CVE base score was greater by 0.57
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 210 | 5.77 |
| 2025 | 132 | 6.33 |
| 2024 | 12 | 5.77 |
| 2023 | 1 | 7.20 |
| 2022 | 2 | 9.80 |
| 2021 | 6 | 8.45 |
| 2020 | 0 | 0.00 |
| 2019 | 2 | 0.00 |
It may take a day or so for new Sourcecodester vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Sourcecodester Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2026-12529 | Jun 17, 2026 |
CET Automatic Grading System 1.0: Improper AC via Student SelfReg EndpointA security vulnerability has been detected in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0. Affected is an unknown function of the file /index.php of the component Student Self-Registration Endpoint. The manipulation leads to improper access controls. Remote exploitation of the attack is possible. |
Cet Automated Grading System With Ai Predictive Analytics
|
| CVE-2026-12176 | Jun 13, 2026 |
XSS in SourceCodester CET Automated Grading System 1.0 via action paramA vulnerability has been found in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0. The impacted element is an unknown function of the file /index.php. The manipulation of the argument action leads to cross site scripting. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. |
Cet Automated Grading System With Ai Predictive Analytics
|
| CVE-2026-11552 | Jun 08, 2026 |
Hardcoded password via raw_password in import_users.php (SourceCodester OLE LMS)A vulnerability has been found in SourceCodester Onlne Examination & Learning Management System and Syllabus-aligned Learning Management and Examination System 1.0. Affected by this issue is some unknown functionality of the file import_users.php. The manipulation of the argument raw_password with the input CICT_2026 leads to use of hard-coded password. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. This product is distributed under two entirely different names. |
Onlne Examination Learning Management System
Syllabus Aligned Learning Management Examination System
|
| CVE-2026-11520 | Jun 08, 2026 |
SourceCodester Inventory Sys 1.0 XSS via header.php - RemoteA weakness has been identified in SourceCodester Inventory System 1.0. Affected by this issue is some unknown functionality of the file header.php. This manipulation causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. Multiple parameters might be affected. |
Inventory System
|
| CVE-2026-11519 | Jun 08, 2026 |
Remote Auth Bypass in SourceCodester Inventory System 1.0: Creation HandlerA security flaw has been discovered in SourceCodester Inventory System 1.0. Affected by this vulnerability is an unknown functionality of the file /Product_Inventory/api/users_handler.php of the component Account Creation Handler. The manipulation of the argument ROLE results in improper authorization. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. |
Inventory System
|
| CVE-2026-11518 | Jun 08, 2026 |
SourceCodester Inventory System 1.0 XSS via /users.php fullname/usernameA vulnerability was identified in SourceCodester Inventory System 1.0. Affected is an unknown function of the file /users.php of the component User Management Page. The manipulation of the argument fullname/username leads to cross site scripting. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. |
Inventory System
|
| CVE-2026-11515 | Jun 08, 2026 |
Hardcoded Password via New_Password in Password Reset Handler SRPI 1.0A vulnerability has been found in SourceCodester Barangay Resident Profiling and Information Management System 1.0. The impacted element is an unknown function of the file passsword_reset.php of the component Password Reset Handler. Such manipulation of the argument new_password with the input password123 leads to use of hard-coded password. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. |
Barangay Resident Profiling Information Management System
|
| CVE-2026-11501 | Jun 08, 2026 |
SourceCodester HPRMS 1.0 SQLi via ID in Master.phpA security flaw has been discovered in SourceCodester Hospitals Patient Records Management System 1.0. This issue affects some unknown processing of the file /classes/Master.php?f=save_patient. The manipulation of the argument ID results in sql injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. |
Hospitals Patient Records Management System
|
| CVE-2026-11486 | Jun 08, 2026 |
SourceCodester Class & Exam Timetabling Sys 1.0: Remote SQLi in /archive1.phpA vulnerability was detected in SourceCodester Class and Exam Timetabling System 1.0. Affected by this vulnerability is an unknown functionality of the file /archive1.php. Performing a manipulation of the argument sy results in sql injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. |
Class Exam Timetabling System
|
| CVE-2026-11485 | Jun 08, 2026 |
SQLi in SourceCodester Class & Exam Timetabling System 1.0 (/archive2.php)A security vulnerability has been detected in SourceCodester Class and Exam Timetabling System 1.0. Affected is an unknown function of the file /archive2.php. Such manipulation of the argument sy leads to sql injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. |
Class Exam Timetabling System
|
| CVE-2026-11484 | Jun 08, 2026 |
SourceCodester Class & Exam Timetabling 1.0 Remote SQLi in archive3.phpA weakness has been identified in SourceCodester Class and Exam Timetabling System 1.0. This impacts an unknown function of the file /archive3.php. This manipulation of the argument sy causes sql injection. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. |
Class Exam Timetabling System
|
| CVE-2026-11483 | Jun 08, 2026 |
SQLi via /archive4.php (sy) in SourceCodester Class & Exam Timetabling Sys 1.0A security flaw has been discovered in SourceCodester Class and Exam Timetabling System 1.0. This affects an unknown function of the file /archive4.php. The manipulation of the argument sy results in sql injection. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. |
Class Exam Timetabling System
|
| CVE-2026-11482 | Jun 08, 2026 |
SQLi via sy in SourceCodester Class & Exam Timetabling 1.0 /archive5.phpA vulnerability was identified in SourceCodester Class and Exam Timetabling System 1.0. The impacted element is an unknown function of the file /archive5.php. The manipulation of the argument sy leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used. |
Class Exam Timetabling System
|
| CVE-2026-11472 | Jun 08, 2026 |
SQLi in SourceCodester Class&Exam Timetabling 1.0 /index1.phpA vulnerability was determined in SourceCodester Class and Exam Timetabling System 1.0. This affects an unknown function of the file /index1.php. This manipulation of the argument Password causes sql injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. |
Class Exam Timetabling System
|
| CVE-2026-11471 | Jun 08, 2026 |
Remote SQLi via Password in SourceCodester Class & Exam Timetabling System 1.0A vulnerability was found in SourceCodester Class and Exam Timetabling System 1.0. The impacted element is an unknown function of the file /index2.php. The manipulation of the argument Password results in sql injection. It is possible to launch the attack remotely. The exploit has been made public and could be used. |
Class Exam Timetabling System
|
| CVE-2026-11468 | Jun 07, 2026 |
XSS in SCRHS 1.0 via /admin/?page=room_typesA vulnerability was detected in SourceCodester Hospitals Patient Records Management System 1.0. This issue affects some unknown processing of the file /admin/?page=room_types. Performing a manipulation of the argument room results in cross site scripting. The attack is possible to be carried out remotely. The exploit is now public and may be used. |
Hospitals Patient Records Management System
|
| CVE-2026-11338 | Jun 05, 2026 |
XSS in Ship Ferry Ticket Reservation System 1.0 users pageA security vulnerability has been detected in SourceCodester Ship Ferry Ticket Reservation System 1.0. Impacted is an unknown function of the file /admin/?page=user/manage_user. The manipulation of the argument Username leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. |
Ship Ferry Ticket Reservation System
|
| CVE-2026-10877 | Jun 04, 2026 |
SQLi via Username in SourceCodester Ship Ferry Ticket RS 1.0 Admin LoginA security vulnerability has been detected in SourceCodester Ship Ferry Ticket Reservation System up to 1.0. This impacts an unknown function of the file /admin/login.php of the component Admin Login. Such manipulation of the argument Username leads to sql injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. |
Ship Ferry Ticket Reservation System
|
| CVE-2026-10876 | Jun 04, 2026 |
SourceCodester Ship Ferry Ticket System 1.0 Improper Auth via /admin/A weakness has been identified in SourceCodester Ship Ferry Ticket Reservation System 1.0. This affects an unknown function of the file /admin/. This manipulation of the argument page causes improper authorization. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. |
Ship Ferry Ticket Reservation System
|
| CVE-2026-10704 | Jun 03, 2026 |
SQLi in Pizzafy 1.0 ACPanel Admin LoginA vulnerability was detected in SourceCodester Pizzafy E-Commerce System 1.0. Affected by this vulnerability is the function Login of the file /admin/admin_class_novo.php of the component Administrative Control Panel. The manipulation of the argument Username results in sql injection. The attack can be executed remotely. The exploit is now public and may be used. |
Pizzafy E Commerce System
|
| CVE-2026-10694 | Jun 03, 2026 |
SourceCodester OOS 2.0 index.php include via page param (CVE-2026-10694)A vulnerability was detected in SourceCodester Online Food Ordering System 2.0. Affected by this issue is the function include of the file /index.php. The manipulation of the argument page results in file inclusion. The attack can be launched remotely. The exploit is now public and may be used. |
Online Food Ordering System
|
| CVE-2026-10693 | Jun 03, 2026 |
Improper Auth in SourceCodester Online Boat Reservation System 1.0 Admin EndpointA security vulnerability has been detected in SourceCodester Online Boat Reservation System 1.0. Affected by this vulnerability is an unknown functionality of the component Administrative Endpoint. The manipulation leads to improper authorization. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. Multiple endpoints are affected. |
Online Boat Reservation System
|
| CVE-2026-10624 | Jun 02, 2026 |
RCE via Improper ResID in SourceCodester HRM 1.0 Employee ViewA vulnerability has been found in SourceCodester Human Resource Management 1.0. Affected by this vulnerability is an unknown functionality of the file /detailview.php of the component Employee View Page. Such manipulation of the argument employeeid leads to improper control of resource identifiers. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. |
Human Resource Management
|
| CVE-2026-10559 | Jun 02, 2026 |
Pizzafy 1.0 RFI via page arg in /index.phpA flaw has been found in SourceCodester Pizzafy Ecommerce System 1.0. The affected element is an unknown function of the file /index.php. Executing a manipulation of the argument page can lead to file inclusion. The attack may be performed from remote. The exploit has been published and may be used. |
Pizzafy Ecommerce System
|
| CVE-2026-10558 | Jun 02, 2026 |
PFI: Pizzafy 1.0 Remote File Inclusion via /admin/index.phpA vulnerability was detected in SourceCodester Pizzafy Ecommerce System 1.0. Impacted is an unknown function of the file /admin/index.php. Performing a manipulation of the argument page results in file inclusion. The attack is possible to be carried out remotely. The exploit is now public and may be used. |
Pizzafy Ecommerce System
|
| CVE-2026-10295 | Jun 01, 2026 |
SourceCodester Customer Review App 1.0 DoS via review_app.pyA vulnerability was found in SourceCodester Customer Review App 1.0. Affected by this vulnerability is the function add_review/save_review/get_all_reviews of the file review_app.py. Performing a manipulation of the argument name/comment results in denial of service. The attack requires a local approach. The exploit has been made public and could be used. |
Customer Review App
|
| CVE-2026-10287 | Jun 01, 2026 |
SSRF in SourceCodester SEO Meta Tag Extractor 1.0 get_headers()A vulnerability was determined in SourceCodester SEO Meta Tag Extractor 1.0. This vulnerability affects the function get_headers of the file /index.php. This manipulation of the argument url causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. |
Seo Meta Tag Extractor
|
| CVE-2026-10263 | Jun 01, 2026 |
SQLi via ID in /admin/products/manage_product.php in CRS v<=1.0A vulnerability was found in SourceCodester Computer Repair Shop Management System up to 1.0. Affected is an unknown function of the file /admin/products/manage_product.php. The manipulation of the argument ID results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used. |
Computer Repair Shop Management System
|
| CVE-2026-10255 | Jun 01, 2026 |
SourceCodester Pharmacy Sales & Inventory 1.0 ImpAccCtrl via sell_statementA vulnerability has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. Affected by this vulnerability is the function sell_statement of the file application/controllers/ShowForm.php. Such manipulation leads to improper access controls. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. |
Pharmacy Sales Inventory System
|
| CVE-2026-10254 | Jun 01, 2026 |
File Disclosure in SourceCodester Pet Grooming 1.0 /adminA flaw has been found in SourceCodester Pet Grooming Management Software 1.0. Affected is an unknown function of the file /admin/. This manipulation causes file and directory information exposure. The attack can be initiated remotely. The exploit has been published and may be used. |
Pet Grooming Management Software
|
| CVE-2026-10248 | Jun 01, 2026 |
CSV injection in SourceCodester Sales & Inventory Sys 1.0 Supplier CreationA vulnerability was determined in SourceCodester Pharmacy Sales and Inventory System up to 1.0. This issue affects the function create_supplier of the file /Export_csv/export of the component Supplier Creation Interface. This manipulation of the argument Address/Company Name causes csv injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. |
Pharmacy Sales Inventory System
|
| CVE-2026-10247 | Jun 01, 2026 |
SourceCodester Pharmacy Sales & Inventory System 1.0 XSS via create_generic_nameA vulnerability was found in SourceCodester Pharmacy Sales and Inventory System 1.0. This vulnerability affects the function create_generic_name of the file /ShowForm/create_generic_name/main. The manipulation of the argument generic_name results in cross site scripting. The attack may be launched remotely. The exploit has been made public and could be used. |
Pharmacy Sales Inventory System
|
| CVE-2026-10246 | Jun 01, 2026 |
SourceCodester Pharmacy Sales & Inventory 1.0: XSS in create_medicineA vulnerability has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. This affects the function create_medicine_presentation of the file /ShowForm/create_medicine_presentation/main. The manipulation of the argument medicine_presentation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. |
Pharmacy Sales Inventory System
|
| CVE-2026-10245 | Jun 01, 2026 |
SourceCodester Pharmacy Sales & Inventory 1.0 XSS in create_supplierA flaw has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. Affected by this issue is the function create_supplier of the file /ShowForm/create_supplier/main. Executing a manipulation of the argument company_name can lead to cross site scripting. The attack can be launched remotely. The exploit has been published and may be used. |
Pharmacy Sales Inventory System
|
| CVE-2026-10244 | Jun 01, 2026 |
XSS in SourceCodester Pharmacy Sales & Inv. Sys 1.0 create_medicine_nameA vulnerability was detected in SourceCodester Pharmacy Sales and Inventory System 1.0. Affected by this vulnerability is the function create_medicine_name of the file /ShowForm/create_medicine_name/main. Performing a manipulation of the argument medicine_name results in cross site scripting. The attack can be initiated remotely. The exploit is now public and may be used. |
Pharmacy Sales Inventory System
|
| CVE-2026-10237 | Jun 01, 2026 |
SourceCodester Water Billing MS 1.0 SQLi in User Mgmt ModuleA vulnerability was found in SourceCodester Water Billing Management System 1.0. Impacted is an unknown function of the file /admin/?page=user/manage_user of the component User Management Module. Performing a manipulation of the argument ID results in sql injection. Remote exploitation of the attack is possible. The exploit has been made public and could be used. |
Water Billing Management System
|
| CVE-2026-10236 | Jun 01, 2026 |
SourceCodester Water Billing System 1.0 Improper Auth in User EndpointA vulnerability has been found in SourceCodester Water Billing Management System 1.0. This issue affects some unknown processing of the file /classes/Users.php?f=save of the component User Management Endpoint. Such manipulation leads to improper authorization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. |
Water Billing Management System
|
| CVE-2026-10185 | May 31, 2026 |
SQLi in SourceCodester Hospitals Patient Records Mgmt Sys 1.0 via ID in Users.phpA weakness has been identified in SourceCodester Hospitals Patient Records Management System 1.0. Affected is an unknown function of the file /classes/Users.php?f=save. This manipulation of the argument ID causes sql injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. |
Hospitals Patient Records Management System
|
| CVE-2026-10184 | May 31, 2026 |
SQLi in SourceCodester Hospital PM 1.0 via Users.php deleteA security flaw has been discovered in SourceCodester Hospitals Patient Records Management System 1.0. This impacts an unknown function of the file /classes/Users.php?f=delete. The manipulation of the argument ID results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. |
Hospitals Patient Records Management System
|
| CVE-2026-9603 | May 26, 2026 |
Remote Auth Bypass via /admin/delete-session.php in eDoc 1.0A security vulnerability has been detected in SourceCodester eDoc Doctor Appointment System 1.0. This affects an unknown part of the file /admin/delete-session.php. The manipulation of the argument ID leads to missing authorization. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. |
Edoc Doctor Appointment System
|
| CVE-2026-9583 | May 26, 2026 |
CET Automated Grading System 1.0 SQL Handler Error Msg Info ExposureA weakness has been identified in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0. This impacts an unknown function of the file /index.php of the component SQL Handler. Executing a manipulation can lead to information exposure through error message. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. |
Cet Automated Grading System With Ai Predictive Analytics
|
| CVE-2026-9582 | May 26, 2026 |
CSRF Vulnerability in SourceCodester CET Automated Grading System AI 1.0A security flaw has been discovered in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0. This affects an unknown function. Performing a manipulation results in cross-site request forgery. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. |
Cet Automated Grading System With Ai Predictive Analytics
|
| CVE-2026-9564 | May 26, 2026 |
XSS Vulnerability in Hospitals Patient Records Management System 1.0 (Remarks)A vulnerability was found in SourceCodester/oretnom23 Hospitals Patient Records Management System 1.0. The impacted element is an unknown function of the file /admin/?page=patients/view_patient. Performing a manipulation of the argument Remarks results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been made public and could be used. |
Hospitals Patient Records Management System
|
| CVE-2026-9486 | May 25, 2026 |
SourceCodester SGMS 1.0 Remote CSRF VulnerabilityA security flaw has been discovered in SourceCodester Student Grades Management System 1.0. This affects an unknown part. The manipulation results in cross-site request forgery. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. |
Student Grades Management System
|
| CVE-2026-9485 | May 25, 2026 |
XSS via Remarks in Student Grades Mgmt Sys 1.0 (students.php)A vulnerability was identified in SourceCodester Student Grades Management System 1.0. Affected by this issue is some unknown functionality of the file students.php. The manipulation of the argument Remarks leads to cross site scripting. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. |
Student Grades Management System
|
| CVE-2026-9484 | May 25, 2026 |
Improper Auth: SourceCodester Student Grades 1.0, Classroom.phpA vulnerability was determined in SourceCodester Student Grades Management System 1.0. Affected by this vulnerability is the function getClassroomStudents/removeStudentFromClassroom of the file classroom.php. Executing a manipulation of the argument classroom_id can lead to improper authorization. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. |
Student Grades Management System
|
| CVE-2026-9483 | May 25, 2026 |
Impr. Auth in grades.php of SCS Student Grades Mgt 1.0A vulnerability was found in SourceCodester Student Grades Management System 1.0. Affected is an unknown function of the file grades.php. Performing a manipulation of the argument student_id results in improper authorization. The attack may be initiated remotely. The exploit has been made public and could be used. |
Student Grades Management System
|
| CVE-2026-9447 | May 25, 2026 |
SQL Injection in SourceCodester Simple POS 1.0 via /user/search.php Name parameterA vulnerability was found in SourceCodester Simple POS and Inventory System 1.0. The impacted element is an unknown function of the file /user/search.php. Performing a manipulation of the argument Name results in sql injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used. |
Simple Pos Inventory System
|
| CVE-2026-9446 | May 25, 2026 |
SQL Injection in SourceCodester Simple POS v1.0 (edit_customer.php ID)A vulnerability has been found in SourceCodester Simple POS and Inventory System 1.0. The affected element is an unknown function of the file /admin/edit_customer.php. Such manipulation of the argument ID leads to sql injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. |
Simple Pos Inventory System
|
| CVE-2026-9445 | May 25, 2026 |
SourceCodester Simple POS 1.0 Unrestricted File Upload in /admin/addproduct.phpA flaw has been found in SourceCodester Simple POS and Inventory System 1.0. Impacted is an unknown function of the file /admin/addproduct.php of the component File Extension Handler. This manipulation of the argument image causes unrestricted upload. Remote exploitation of the attack is possible. The exploit has been published and may be used. |
Simple Pos Inventory System
|