Is there a public PoC exploit available for CVE-2026-10271?

Yes, a public proof-of-concept exploit is available for CVE-2026-10271. Prioritise patching immediately. EPSS: 0.0%.

Student-Management-System CVE-2026-10271

Q: What is the CVSS score of CVE-2026-10271?

CVE-2026-10271 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-33695 LOW

Execution After Redirect (EAR) (CWE-698)

2026-06-01 VulDB

GHSA-5q78-whf2-pmwx

Information Disclosure Student Management System

2.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.1 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Scope

Lifecycle Timeline

Severity Changed

Jun 01, 2026 - 17:22 NVD

MEDIUM LOW

CVSS changed

Jun 01, 2026 - 17:22 NVD

6.3 (MEDIUM) 2.1 (LOW)

Analysis Generated

Jun 01, 2026 - 17:21 vuln.today

DescriptionCVE.org

A flaw has been found in a4m4 Student-Management-System up to f0c5f6842c5e8c431ff02b5260a565ca844df3a0. The affected element is an unknown function of the file admin/ of the component Admin Endpoint. This manipulation of the argument uid causes execution after redirect. It is possible to initiate the attack remotely. The exploit has been published and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. Multiple endpoints are affected. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Execution After Redirect (EAR) in a4m4's Student-Management-System exposes admin/ endpoints to unauthorized data access via manipulation of the uid parameter, allowing server-side PHP logic to execute and return sensitive output despite issuing an HTTP redirect response. The CVSS vector (PR:N) confirms no authentication is required, and the exploit has been publicly published via a GitHub issue, making this trivially reproducible. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Identify publicly accessible admin/ endpoint

Delivery

Craft HTTP request with manipulated uid parameter

Exploit

Server issues 302 redirect but continues PHP script execution

Execution

Capture response body containing protected admin data

Impact

Extract disclosed student or system records