CVE-2026-2983 identifies an improper access control vulnerability in the SourceCodester Student Result Management System version 1.0, specifically within the Bulk Import feature implemented in the /admin/core/import_users.php file. The vulnerability arises from inadequate validation or enforcement of access permissions on a file argument, allowing remote attackers to manipulate this parameter to bypass intended access controls. This flaw does not require authentication or user interaction, making it remotely exploitable over the network. The vulnerability could enable attackers to import unauthorized user data or modify existing records, potentially compromising the confidentiality and integrity of student result data. The CVSS 4.0 vector indicates no privileges required (PR:N), no user interaction (UI:N), and low impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). Although no public exploits are currently observed in the wild, the public disclosure of the vulnerability increases the likelihood of exploitation attempts. The lack of patches or official fixes at the time of disclosure necessitates immediate defensive measures. The vulnerability affects only version 1.0 of the product, which is commonly used in educational institutions for managing student results and bulk user imports. This vulnerability highlights the risk of insufficient access control checks in web application components handling file inputs and bulk data operations.

The vulnerability could allow unauthorized remote attackers to bypass access controls and manipulate user data within the Student Result Management System. This can lead to unauthorized creation, modification, or deletion of student records, undermining data integrity and confidentiality. Educational institutions relying on this system may face data breaches, loss of trust, and potential regulatory compliance issues related to student data protection. The availability impact is low but could increase if attackers disrupt the import process or corrupt data. Since the system manages sensitive academic records, exploitation could affect student evaluations, academic progress tracking, and administrative operations. The medium CVSS score reflects moderate risk, but the ease of remote exploitation without authentication raises concern for widespread abuse if left unmitigated. Organizations worldwide using this software, especially in education sectors, could experience operational disruptions and reputational damage.

1. Immediately restrict access to the /admin/core/import_users.php endpoint to trusted administrators only, using network-level controls such as IP whitelisting or VPN access. 2. Implement strict server-side validation and sanitization of all file input parameters to prevent unauthorized file manipulation. 3. Apply role-based access controls (RBAC) ensuring only authorized users can perform bulk imports. 4. Monitor logs for unusual access patterns or repeated attempts to access the import functionality. 5. If possible, disable the bulk import feature until a vendor patch or official fix is released. 6. Conduct a thorough audit of user data integrity to detect any unauthorized changes. 7. Educate administrators about the vulnerability and encourage prompt reporting of suspicious activity. 8. Follow up with the vendor for patches or updates addressing this vulnerability and apply them as soon as available. 9. Consider deploying web application firewalls (WAFs) with custom rules to block exploit attempts targeting this endpoint.