Skip to main content

student_management_system EUVD-2026-35130

| CVE-2026-11533 LOW
Improper Authorization (CWE-285)
2026-06-08 VulDB GHSA-5h9q-gwhq-m4wv
PHP Authentication Bypass
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 08, 2026 - 17:28 vuln.today
Severity Changed
Jun 08, 2026 - 17:22 NVD
MEDIUM LOW
CVSS changed
Jun 08, 2026 - 17:22 NVD
5.4 (MEDIUM) 2.1 (LOW)

DescriptionCVE.org

A security vulnerability has been detected in imvks786 student_management_system up to 9599b560ad3c3b83e75d328b76bedcd489ef1f46. Affected by this vulnerability is an unknown functionality of the file /see.php of the component Student Deletion Endpoint. The manipulation of the argument del leads to improper authorization. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Improper authorization in the imvks786 student_management_system PHP application allows authenticated low-privileged remote attackers to delete student records they are not authorized to remove via manipulation of the del parameter at the /see.php Student Deletion Endpoint. The vulnerability (CWE-285) stems from the application failing to verify that the requesting user holds sufficient privileges to perform the deletion action, effectively enabling horizontal or vertical privilege escalation within the data management scope. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege account credentials
Delivery
Authenticate to student management system
Exploit
Craft HTTP request to /see.php with target del parameter
Execution
Server processes deletion without authorization check
Impact
Targeted student record permanently deleted
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid authenticated session with at least low-level privileges on the student management system (PR:L per CVSS 4.0 vector); unauthenticated external attackers cannot exploit this directly. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 2.1 reflects genuinely limited real-world impact: the vector (AV:N/AC:L/AT:N/PR:L/UI:N) confirms network-accessible exploitation with low complexity and no special attack requirements, but PR:L indicates a low-privileged authenticated account is required - the attacker cannot exploit this without first obtaining valid credentials. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with any valid low-privileged account in the student management system - such as a student user - sends a crafted HTTP request to /see.php with a manipulated `del` parameter referencing another student's record ID. Because the endpoint performs no authorization check to verify the caller's privilege level, the deletion is processed server-side and the targeted record is permanently removed. …
Remediation No vendor-released patch has been identified at time of analysis; the maintainer was notified via a GitHub issue (https://github.com/imvks786/student_management_system/issues/4) but has not yet responded. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49952 CRITICAL POC
9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
CVE-2026-49954 HIGH POC
8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
CVE-2026-27053 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
CVE-2026-49104 CRITICAL
9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

Share

EUVD-2026-35130 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy