CVE-2026-11475: SQL Injection in Kushan2k student-management-system
CVE-2026-11475 is a medium severity SQL injection vulnerability in the Kushan2k student-management-system affecting the getStatus function in controllers/GradeController. php. The vulnerability arises from improper handling of the nic argument in the Certificate Verification Endpoint, allowing remote attackers to manipulate SQL queries. The exploit code has been publicly disclosed. The product uses a rolling release model, and no patch or official remediation has been provided yet. The vendor has been informed but has not responded to the issue.
AI Analysis
Technical Summary
This vulnerability in Kushan2k student-management-system up to commit f16a4ceaddd6729c4b306ed4641cda3176c1ef2a allows remote attackers to perform SQL injection via the nic parameter in the getStatus function of the GradeController.php file, specifically in the Certificate Verification Endpoint component. The weakness permits manipulation of SQL queries, potentially compromising database integrity or confidentiality. The product's rolling release model means no fixed version numbers are available. The vendor has not yet issued a fix or official guidance. The CVSS 4.0 base score is 5.3, indicating medium severity.
Potential Impact
Successful exploitation could allow an attacker with low privileges and no user interaction to execute unauthorized SQL commands remotely, potentially leading to unauthorized data access or modification within the affected system. However, the impact is rated medium due to limited scope and complexity factors.
Mitigation Recommendations
No official fix or patch is currently available from the vendor. The vendor has been notified but has not responded. Users should monitor the vendor's announcements for updates. Until a patch is released, consider implementing application-level input validation or web application firewall (WAF) rules to detect and block malicious SQL injection attempts targeting the nic parameter in the Certificate Verification Endpoint.
CVE-2026-11475: SQL Injection in Kushan2k student-management-system
Description
CVE-2026-11475 is a medium severity SQL injection vulnerability in the Kushan2k student-management-system affecting the getStatus function in controllers/GradeController. php. The vulnerability arises from improper handling of the nic argument in the Certificate Verification Endpoint, allowing remote attackers to manipulate SQL queries. The exploit code has been publicly disclosed. The product uses a rolling release model, and no patch or official remediation has been provided yet. The vendor has been informed but has not responded to the issue.
CVSS v4.0
Score 5.3medium
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability in Kushan2k student-management-system up to commit f16a4ceaddd6729c4b306ed4641cda3176c1ef2a allows remote attackers to perform SQL injection via the nic parameter in the getStatus function of the GradeController.php file, specifically in the Certificate Verification Endpoint component. The weakness permits manipulation of SQL queries, potentially compromising database integrity or confidentiality. The product's rolling release model means no fixed version numbers are available. The vendor has not yet issued a fix or official guidance. The CVSS 4.0 base score is 5.3, indicating medium severity.
Potential Impact
Successful exploitation could allow an attacker with low privileges and no user interaction to execute unauthorized SQL commands remotely, potentially leading to unauthorized data access or modification within the affected system. However, the impact is rated medium due to limited scope and complexity factors.
Mitigation Recommendations
No official fix or patch is currently available from the vendor. The vendor has been notified but has not responded. Users should monitor the vendor's announcements for updates. Until a patch is released, consider implementing application-level input validation or web application firewall (WAF) rules to detect and block malicious SQL injection attempts targeting the nic parameter in the Certificate Verification Endpoint.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulDB
- Date Reserved
- 2026-06-07T09:37:50.124Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a2622ffe29bf47b50791fd2
Added to database: 6/8/2026, 2:03:43 AM
Last enriched: 6/8/2026, 2:18:45 AM
Last updated: 6/8/2026, 3:20:09 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.