EUVD-2026-35005
GHSA-cm8c-634g-crq2
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionNVD
A security flaw has been discovered in Kushan2k student-management-system up to f16a4ceaddd6729c4b306ed4641cda3176c1ef2a. Affected is an unknown function of the file service/RegisterService.php of the component Registration Endpoint. Performing a manipulation of the argument stimg results in unrestricted upload. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet.
AnalysisAI
Unrestricted file upload in Kushan2k's student-management-system exposes the registration endpoint to unauthenticated remote attackers who can upload arbitrary files - including PHP webshells - by manipulating the stimg argument in service/RegisterService.php. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication, no complexity, and no user interaction are required, making this trivially exploitable by any network-reachable attacker. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions are required for exploitation - the CVSS 4.0 vector (PR:N/UI:N/AC:L/AT:N) confirms unauthenticated, zero-interaction exploitation against the default configuration of Kushan2k student-management-system. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score of 5.5 (Medium) is likely an understatement of true operational risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated remote attacker sends a crafted multipart HTTP POST request to `service/RegisterService.php` with the `stimg` field set to a PHP webshell file (e.g., `shell.php` containing `<?php system($_GET['cmd']); ?>`). The server stores the file in a web-accessible upload directory without validating its type, and the attacker then directly requests the uploaded file's URL to execute arbitrary OS commands under the web server's process account. … |
| Remediation | No vendor-released patch has been identified at time of analysis - the project maintainer has not responded to the responsible disclosure filed via GitHub issue (https://github.com/Kushan2k/student-management-system/issues/1). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Unauthenticated remote code execution in the JCE (Joomla Content Editor) extension for Joomla allows attackers to create
Authenticated remote code execution in Pheditor 2.0.1-2.0.3 lets any logged-in user with the default terminal permission
Remote code execution in YesWiki prior to 4.6.6 allows unauthenticated attackers to inject arbitrary PHP via the Bazar C
Authentication bypass in ealpha072's Student-Management-System PHP application exposes the administrative backend to rem
Improper authorization in the BeikeShop e-commerce platform (versions up to 1.6.0.22) allows remote unauthenticated atta
Share
External POC / Exploit Code
Leaving vuln.today