CVE-2026-11476

Description

A security vulnerability has been detected in Kushan2k student-management-system up to f16a4ceaddd6729c4b306ed4641cda3176c1ef2a. Affected by this issue is the function edit-admin of the file controllers/AdminController.php of the component Profile Update Endpoint. The manipulation of the argument isadmin leads to improper authorization. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The project was informed of the problem early through an issue report but has not responded yet.

PUBLISHED Reserved 2026-06-07 | Published 2026-06-08 | Updated 2026-06-08 | Assigner VulDB

Problem types

Improper Authorization

Incorrect Privilege Assignment

Product status

Timeline

Credits

Pr0x1ma (VulDB User) reporter

VulDB CNA Team coordinator

References

vuldb.com/vuln/369096 (VDB-369096 | Kushan2k student-management-system Profile Update Endpoint AdminController.php edit-admin improper authorization) vdb-entry technical-description

vuldb.com/vuln/369096/cti (VDB-369096 | CTI Indicators (IOB, IOC, TTP, IOA)) signature permissions-required

vuldb.com/cve/CVE-2026-11476 (CVE-2026-11476 | CVE Analysis and Report) third-party-advisory

vuldb.com/submit/833945 (Submit #833945 | Kushan2k student-management-system 1.0 Unauthenticated Admin Profile Update Endpoint) third-party-advisory

github.com/Kushan2k/student-management-system/issues/3 exploit issue-tracking

github.com/Kushan2k/student-management-system/ product

cve.org (CVE-2026-11476)

nvd.nist.gov (CVE-2026-11476)

Download JSON