EUVD-2026-31901
GHSA-p73g-287j-9jq7
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A vulnerability has been found in sambitraj STUDENT-MANAGEMENT-SYSTEM up to 56ba287f2e9031523ccb4244cb6e3fe530e4e5d5. The affected element is an unknown function of the component Dashboard. Such manipulation leads to improper access controls. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. Multiple endpoints are affected. The project was informed of the problem early through an issue report but has not responded yet.
AnalysisAI
Improper access control in sambitraj's STUDENT-MANAGEMENT-SYSTEM exposes multiple Dashboard endpoints to unauthenticated remote attackers, enabling unauthorized read and write operations on student data. The vulnerability, tagged as an authentication bypass (CWE-284), affects all code up to and including commit 56ba287f2e9031523ccb4244cb6e3fe530e4e5d5 and is confirmed by a publicly disclosed exploit via GitHub issue. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The CVSS 4.0 vector (PR:N/UI:N/AV:N/AC:L/AT:N) confirms no authentication, no user interaction, and no special configuration is required - remote unauthenticated exploitation is possible against default deployments of STUDENT-MANAGEMENT-SYSTEM where the Dashboard is network-accessible. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score of 5.5 (Medium) reflects constrained impact - confidentiality, integrity, and availability impacts are all rated Low on the vulnerable component, with no downstream system impact (SC:N/SI:N/SA:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker who identifies an internet-exposed instance of the STUDENT-MANAGEMENT-SYSTEM can send crafted HTTP requests directly to one or more Dashboard endpoints, bypassing the expected authentication checks. Using the publicly disclosed proof-of-concept available at https://github.com/sambitraj/STUDENT-MANAGEMENT-SYSTEM/issues/1#issue-434890558, the attacker accesses or modifies student records - including potentially sensitive personal data - without ever presenting valid credentials. … |
| Remediation | No vendor-released patch identified at time of analysis - the maintainer has not responded to the disclosed GitHub issue (https://github.com/sambitraj/STUDENT-MANAGEMENT-SYSTEM/issues/1) as of the report date. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today