CVE-2026-11476

MEDIUM

Kushan2k student-management-system Profile Update Endpoint AdminController.php edit-admin improper authorization

Title source: cna
STIX 2.1

Description

A security vulnerability has been detected in Kushan2k student-management-system up to f16a4ceaddd6729c4b306ed4641cda3176c1ef2a. Affected by this issue is the function edit-admin of the file controllers/AdminController.php of the component Profile Update Endpoint. The manipulation of the argument isadmin leads to improper authorization. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The project was informed of the problem early through an issue report but has not responded yet.

References (6)

Core 6
Core References
Vdb Entry, Technical Description vdb-entry technical-description
VDB-369096 | Kushan2k student-management-system Profile Update Endpoint AdminController.php edit-admin improper authorization
https://vuldb.com/vuln/369096
Signature, Permissions Required signature permissions-required
VDB-369096 | CTI Indicators (IOB, IOC, TTP, IOA)
https://vuldb.com/vuln/369096/cti
Third Party Advisory third-party-advisory
CVE-2026-11476 | CVE Analysis and Report
https://vuldb.com/cve/CVE-2026-11476
Third Party Advisory third-party-advisory
Submit #833945 | Kushan2k student-management-system 1.0 Unauthenticated Admin Profile Update Endpoint
https://vuldb.com/submit/833945

Scores

CVSS v3 6.3
EPSS 0.0021
EPSS Percentile 11.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-266 CWE-285
Status published
Products (1)
Kushan2k/student-management-system f16a4ceaddd6729c4b306ed4641cda3176c1ef2a
Published Jun 08, 2026
Tracked Since Jun 08, 2026