CVE-2026-11476: Improper Authorization in Kushan2k student-management-system
CVE-2026-11476 is a medium severity vulnerability in the Kushan2k student-management-system affecting the edit-admin function in the AdminController. php file. The issue involves improper authorization due to manipulation of the isadmin argument at the Profile Update Endpoint. Remote exploitation is possible, and a public exploit has been disclosed. The vendor has not yet responded or provided a patch. The product uses a rolling release model, so specific fixed versions are not identified.
AI Analysis
Technical Summary
This vulnerability in Kushan2k student-management-system up to commit f16a4ceaddd6729c4b306ed4641cda3176c1ef2a allows an attacker to manipulate the isadmin argument in the edit-admin function of controllers/AdminController.php, resulting in improper authorization. This flaw affects the Profile Update Endpoint and can be exploited remotely without user interaction or elevated privileges beyond limited privileges. The vulnerability has a CVSS 4.0 base score of 5.3 (medium severity). The project was notified early but has not issued a fix or advisory, and no patch links are available. The vulnerability is publicly disclosed, increasing risk of exploitation.
Potential Impact
Successful exploitation can allow an attacker with limited privileges to improperly escalate authorization, potentially modifying administrative profiles or privileges. This could lead to unauthorized administrative access or changes within the student-management-system. The vulnerability does not require user interaction and can be exploited remotely, increasing its risk. However, the impact is rated medium due to the requirement of some privilege and the limited scope of the authorization bypass.
Mitigation Recommendations
No official fix or patch is currently available from the vendor. Since the vendor has not responded or released a remediation, organizations should monitor the vendor's channels for updates. Until a patch is released, restrict access to the Profile Update Endpoint to trusted users only and consider implementing additional access controls or monitoring to detect unauthorized privilege changes. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
CVE-2026-11476: Improper Authorization in Kushan2k student-management-system
Description
CVE-2026-11476 is a medium severity vulnerability in the Kushan2k student-management-system affecting the edit-admin function in the AdminController. php file. The issue involves improper authorization due to manipulation of the isadmin argument at the Profile Update Endpoint. Remote exploitation is possible, and a public exploit has been disclosed. The vendor has not yet responded or provided a patch. The product uses a rolling release model, so specific fixed versions are not identified.
CVSS v4.0
Score 5.3medium
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability in Kushan2k student-management-system up to commit f16a4ceaddd6729c4b306ed4641cda3176c1ef2a allows an attacker to manipulate the isadmin argument in the edit-admin function of controllers/AdminController.php, resulting in improper authorization. This flaw affects the Profile Update Endpoint and can be exploited remotely without user interaction or elevated privileges beyond limited privileges. The vulnerability has a CVSS 4.0 base score of 5.3 (medium severity). The project was notified early but has not issued a fix or advisory, and no patch links are available. The vulnerability is publicly disclosed, increasing risk of exploitation.
Potential Impact
Successful exploitation can allow an attacker with limited privileges to improperly escalate authorization, potentially modifying administrative profiles or privileges. This could lead to unauthorized administrative access or changes within the student-management-system. The vulnerability does not require user interaction and can be exploited remotely, increasing its risk. However, the impact is rated medium due to the requirement of some privilege and the limited scope of the authorization bypass.
Mitigation Recommendations
No official fix or patch is currently available from the vendor. Since the vendor has not responded or released a remediation, organizations should monitor the vendor's channels for updates. Until a patch is released, restrict access to the Profile Update Endpoint to trusted users only and consider implementing additional access controls or monitoring to detect unauthorized privilege changes. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulDB
- Date Reserved
- 2026-06-07T09:37:52.667Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a2622ffe29bf47b50791fda
Added to database: 6/8/2026, 2:03:43 AM
Last enriched: 6/8/2026, 2:18:40 AM
Last updated: 6/8/2026, 3:08:45 AM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.