Cyber Resilience

CVE-2026-1423

MediumPublic PoC

Published: 26 January 2026

Published
26 January 2026
Modified
28 January 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0038 30.0th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-1423 is a medium-severity Improper Access Control (CWE-284) vulnerability in Fabian Online Examination System. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-1423 is a vulnerability in code-projects Online Examination System 1.0, affecting an unknown functionality within the /admin_pic.php file. The issue enables unrestricted file upload, classified under CWE-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type). It was published on 2026-01-26 with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

A remote attacker with low privileges can exploit this vulnerability without user interaction to perform file uploads, potentially leading to remote code execution via unsafe file handling. Public disclosures, including a GitHub repository detailing the finding, confirm the exploit is available and may be utilized by threat actors targeting deployments of this system.

Advisories from VulDB (ctiid.342839, id.342839) and related submissions document the issue, along with references to the vendor site at code-projects.org. No patches or specific mitigations are detailed in the provided references.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability was determined in code-projects Online Examination System 1.0. Affected by this issue is some unknown functionality of the file /admin_pic.php. Executing a manipulation can lead to unrestricted upload. The attack may be performed from remote. The exploit has…

more

been publicly disclosed and may be utilized.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Unrestricted file upload in a public-facing web app directly enables initial access via exploitation (T1190) and deployment of a web shell for persistence/RCE (T1505.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-2173Same product: Fabian Online Examination System
CVE-2026-1422Same product: Fabian Online Examination System
CVE-2025-7190Same vendor: Fabian
CVE-2026-2213Same vendor: Fabian
CVE-2026-2133Same vendor: Fabian
CVE-2025-0335Same vendor: Fabian
CVE-2024-57668Same vendor: Fabian
CVE-2025-70151Same vendor: Fabian
CVE-2026-0577Same vendor: Fabian
CVE-2025-69565Same vendor: Fabian

Affected Assets

fabian
online examination system
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces access restrictions on the /admin_pic.php upload endpoint so that only explicitly authorized actions and file types are permitted.

prevent

Requires validation of all input (file type, extension, content) before accepting uploads, directly blocking the unrestricted file upload vector.

prevent

Limits the upload privilege to the minimum roles that truly require it, reducing the attack surface available to low-privileged remote users.

References