CVE-2026-2177
Published: 08 February 2026
Summary
CVE-2026-2177 is a medium-severity Session Fixation (CWE-384) vulnerability in Fast5 Prison Management System. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and AC-12 (Session Termination).
Deeper analysis
CVE-2026-2177 is a session fixation vulnerability (CWE-384) in an unknown function of the Login component within SourceCodester Prison Management System 1.0. Published on 2026-02-08, it carries a CVSS v3.1 base score of 7.3 (High), rated as AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L, indicating network accessibility with low attack complexity, no privileges or user interaction required, and low impacts across confidentiality, integrity, and availability.
The vulnerability enables remote exploitation where an attacker manipulates session handling during login, potentially allowing session hijacking if a victim authenticates using a pre-set session identifier controlled by the attacker. Unauthenticated attackers can initiate this remotely, achieving partial compromise of user sessions.
Advisories reference VulDB entries (ctiid.344880, id.344880, submit.749485) and a GitHub issue (https://github.com/hater-us/CVE/issues/10), noting that the exploit has been publicly disclosed and may be used. The vendor site (https://www.sourcecodester.com/) is listed for further details, though no specific patches or mitigations are outlined in the core description.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5773
Vulnerability details
A vulnerability has been found in SourceCodester Prison Management System 1.0. The impacted element is an unknown function of the component Login. The manipulation leads to session fixiation. It is possible to initiate the attack remotely. The exploit has been…
more
disclosed to the public and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Session fixation in a public-facing login component directly enables remote exploitation of the application (T1190) and use of a pre-set web session identifier as alternate authentication material to hijack a valid user session (T1550.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires cryptographic or equivalent protection of session identifiers to ensure authenticity, blocking the attacker-supplied session ID used in this fixation attack.
Mandates automatic or explicit session termination and invalidation upon login or timeout, limiting the window in which a pre-set attacker session can be used after authentication.
Requires robust identification and authentication at login that, when implemented with session regeneration, prevents the fixation vector described in the CVE.