CVE-2026-1423
Published: 26 January 2026
Summary
CVE-2026-1423 is a medium-severity Improper Access Control (CWE-284) vulnerability in Fabian Online Examination System. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-1423 is a vulnerability in code-projects Online Examination System 1.0, affecting an unknown functionality within the /admin_pic.php file. The issue enables unrestricted file upload, classified under CWE-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type). It was published on 2026-01-26 with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
A remote attacker with low privileges can exploit this vulnerability without user interaction to perform file uploads, potentially leading to remote code execution via unsafe file handling. Public disclosures, including a GitHub repository detailing the finding, confirm the exploit is available and may be utilized by threat actors targeting deployments of this system.
Advisories from VulDB (ctiid.342839, id.342839) and related submissions document the issue, along with references to the vendor site at code-projects.org. No patches or specific mitigations are detailed in the provided references.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4704
Vulnerability details
A vulnerability was determined in code-projects Online Examination System 1.0. Affected by this issue is some unknown functionality of the file /admin_pic.php. Executing a manipulation can lead to unrestricted upload. The attack may be performed from remote. The exploit has…
more
been publicly disclosed and may be utilized.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unrestricted file upload in a public-facing web app directly enables initial access via exploitation (T1190) and deployment of a web shell for persistence/RCE (T1505.003).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces access restrictions on the /admin_pic.php upload endpoint so that only explicitly authorized actions and file types are permitted.
Requires validation of all input (file type, extension, content) before accepting uploads, directly blocking the unrestricted file upload vector.
Limits the upload privilege to the minimum roles that truly require it, reducing the attack surface available to low-privileged remote users.