Cyber Resilience

CVE-2026-2177

MediumPublic PoC

Published: 08 February 2026

Published
08 February 2026
Modified
10 February 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0008 24.5th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2177 is a medium-severity Session Fixation (CWE-384) vulnerability in Fast5 Prison Management System. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and AC-12 (Session Termination).

Deeper analysis

CVE-2026-2177 is a session fixation vulnerability (CWE-384) in an unknown function of the Login component within SourceCodester Prison Management System 1.0. Published on 2026-02-08, it carries a CVSS v3.1 base score of 7.3 (High), rated as AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L, indicating network accessibility with low attack complexity, no privileges or user interaction required, and low impacts across confidentiality, integrity, and availability.

The vulnerability enables remote exploitation where an attacker manipulates session handling during login, potentially allowing session hijacking if a victim authenticates using a pre-set session identifier controlled by the attacker. Unauthenticated attackers can initiate this remotely, achieving partial compromise of user sessions.

Advisories reference VulDB entries (ctiid.344880, id.344880, submit.749485) and a GitHub issue (https://github.com/hater-us/CVE/issues/10), noting that the exploit has been publicly disclosed and may be used. The vendor site (https://www.sourcecodester.com/) is listed for further details, though no specific patches or mitigations are outlined in the core description.

EU & UK References

Vulnerability details

A vulnerability has been found in SourceCodester Prison Management System 1.0. The impacted element is an unknown function of the component Login. The manipulation leads to session fixiation. It is possible to initiate the attack remotely. The exploit has been…

more

disclosed to the public and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1550.004 Web Session Cookie Lateral Movement
Adversaries can use stolen session cookies to authenticate to web applications and services.
Why these techniques?

Session fixation in a public-facing login component directly enables remote exploitation of the application (T1190) and use of a pre-set web session identifier as alternate authentication material to hijack a valid user session (T1550.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-27661Shared CWE-384
CVE-2026-25101Shared CWE-384
CVE-2025-7015Shared CWE-384
CVE-2026-24352Shared CWE-384
CVE-2026-33492Shared CWE-384
CVE-2025-63529Shared CWE-384
CVE-2022-40916Shared CWE-384
CVE-2025-52689Shared CWE-384
CVE-2023-53776Shared CWE-384
CVE-2026-23796Shared CWE-384

Affected Assets

fast5
prison management system
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires cryptographic or equivalent protection of session identifiers to ensure authenticity, blocking the attacker-supplied session ID used in this fixation attack.

prevent

Mandates automatic or explicit session termination and invalidation upon login or timeout, limiting the window in which a pre-set attacker session can be used after authentication.

prevent

Requires robust identification and authentication at login that, when implemented with session regeneration, prevents the fixation vector described in the CVE.

References