CVE-2026-5330 is a vulnerability identified in SourceCodester's Best Courier Management System version 1.0, specifically within the User Delete Handler component accessed via the /ajax.php?action=delete_user endpoint. The flaw arises from improper access control mechanisms that fail to validate the authorization of the requestor before processing the deletion of user accounts. By manipulating the 'ID' parameter in the HTTP request, an unauthenticated remote attacker can delete arbitrary user accounts without any authentication or user interaction. This vulnerability is classified under improper access control, which compromises the integrity and availability of the system by allowing unauthorized destructive actions. The CVSS 4.0 vector indicates the attack is network-based (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and has no confidentiality impact (VC:N), but does impact integrity and availability to a low degree (VI:L, VA:L). The exploit has been publicly disclosed, increasing the risk of exploitation, although no active exploits have been reported in the wild. The lack of patches or vendor advisories at this time necessitates immediate mitigation efforts by users of the affected software. This vulnerability could be leveraged to disrupt courier management operations by removing user accounts, potentially causing denial of service or administrative lockout scenarios.

The primary impact of CVE-2026-5330 is on the integrity and availability of the affected courier management system. Unauthorized deletion of user accounts can disrupt business operations, leading to potential denial of service for legitimate users and administrative challenges in restoring access. This can degrade trust in the system and cause operational delays in courier management workflows. Since the vulnerability requires no authentication and can be exploited remotely, it poses a significant risk to organizations relying on this software, especially if exposed to the internet without proper network protections. While confidentiality is not directly impacted, the loss of user accounts can indirectly affect data integrity and operational continuity. Organizations may face increased support costs and reputational damage if attackers exploit this flaw to disrupt services. The absence of known active exploits reduces immediate risk but the public availability of exploit details elevates the likelihood of future attacks.

To mitigate CVE-2026-5330, organizations should first verify if they are running SourceCodester Best Courier Management System version 1.0 and assess exposure of the /ajax.php?action=delete_user endpoint. Immediate steps include restricting access to this endpoint via network controls such as firewalls or VPNs, limiting it to trusted IP addresses or internal networks only. Implementing web application firewalls (WAFs) with rules to detect and block suspicious parameter manipulation can reduce exploitation risk. If possible, modify the application code to enforce strict authorization checks on user deletion requests, ensuring only authenticated and authorized users can perform such actions. Regularly monitor logs for unusual deletion attempts or access patterns. Since no official patches are currently available, consider isolating the affected system or migrating to alternative software solutions with better security controls. Engage with the vendor or community for updates and patches. Additionally, educate administrators about the risk and ensure backups of user data are maintained to enable recovery from unauthorized deletions.