Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
3 vulnerabilities by Kushan2k
CVE-2026-11476 (GCVE-0-2026-11476)
Vulnerability from cvelistv5 – Published: 2026-06-08 01:30 – Updated: 2026-06-08 13:02
VLAI
Title
Kushan2k student-management-system Profile Update Endpoint AdminController.php edit-admin improper authorization
Summary
A security vulnerability has been detected in Kushan2k student-management-system up to f16a4ceaddd6729c4b306ed4641cda3176c1ef2a. Affected by this issue is the function edit-admin of the file controllers/AdminController.php of the component Profile Update Endpoint. The manipulation of the argument isadmin leads to improper authorization. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The project was informed of the problem early through an issue report but has not responded yet.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/369096 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/369096/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-11476 | third-party-advisory |
| https://vuldb.com/submit/833945 | third-party-advisory |
| https://github.com/Kushan2k/student-management-sy… | exploitissue-tracking |
| https://github.com/Kushan2k/student-management-system/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Kushan2k | student-management-system |
Affected:
f16a4ceaddd6729c4b306ed4641cda3176c1ef2a
cpe:2.3:a:kushan2k:student-management-system:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11476",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-08T13:02:49.358440Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T13:02:59.645Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:kushan2k:student-management-system:*:*:*:*:*:*:*:*"
],
"modules": [
"Profile Update Endpoint"
],
"product": "student-management-system",
"vendor": "Kushan2k",
"versions": [
{
"status": "affected",
"version": "f16a4ceaddd6729c4b306ed4641cda3176c1ef2a"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Pr0x1ma (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security vulnerability has been detected in Kushan2k student-management-system up to f16a4ceaddd6729c4b306ed4641cda3176c1ef2a. Affected by this issue is the function edit-admin of the file controllers/AdminController.php of the component Profile Update Endpoint. The manipulation of the argument isadmin leads to improper authorization. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The project was informed of the problem early through an issue report but has not responded yet."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T01:30:09.326Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-369096 | Kushan2k student-management-system Profile Update Endpoint AdminController.php edit-admin improper authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/369096"
},
{
"name": "VDB-369096 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/369096/cti"
},
{
"name": "CVE-2026-11476 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-11476"
},
{
"name": "Submit #833945 | Kushan2k student-management-system 1.0 Unauthenticated Admin Profile Update Endpoint",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/833945"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/Kushan2k/student-management-system/issues/3"
},
{
"tags": [
"product"
],
"url": "https://github.com/Kushan2k/student-management-system/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-07T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-07T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-07T11:43:03.000Z",
"value": "VulDB entry last update"
}
],
"title": "Kushan2k student-management-system Profile Update Endpoint AdminController.php edit-admin improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-11476",
"datePublished": "2026-06-08T01:30:09.326Z",
"dateReserved": "2026-06-07T09:37:52.667Z",
"dateUpdated": "2026-06-08T13:02:59.645Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11475 (GCVE-0-2026-11475)
Vulnerability from cvelistv5 – Published: 2026-06-08 01:15 – Updated: 2026-06-08 16:33
VLAI
Title
Kushan2k student-management-system Certificate Verification Endpoint GradeController.php getStatus sql injection
Summary
A weakness has been identified in Kushan2k student-management-system up to f16a4ceaddd6729c4b306ed4641cda3176c1ef2a. Affected by this vulnerability is the function getStatus of the file controllers/GradeController.php of the component Certificate Verification Endpoint. Executing a manipulation of the argument nic can lead to sql injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The project was informed of the problem early through an issue report but has not responded yet.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/369095 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/369095/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-11475 | third-party-advisory |
| https://vuldb.com/submit/833942 | third-party-advisory |
| https://github.com/Kushan2k/student-management-sy… | exploitissue-tracking |
| https://github.com/Kushan2k/student-management-system/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Kushan2k | student-management-system |
Affected:
f16a4ceaddd6729c4b306ed4641cda3176c1ef2a
cpe:2.3:a:kushan2k:student-management-system:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11475",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-08T13:20:37.427189Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T16:33:03.185Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:kushan2k:student-management-system:*:*:*:*:*:*:*:*"
],
"modules": [
"Certificate Verification Endpoint"
],
"product": "student-management-system",
"vendor": "Kushan2k",
"versions": [
{
"status": "affected",
"version": "f16a4ceaddd6729c4b306ed4641cda3176c1ef2a"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "ChenI (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A weakness has been identified in Kushan2k student-management-system up to f16a4ceaddd6729c4b306ed4641cda3176c1ef2a. Affected by this vulnerability is the function getStatus of the file controllers/GradeController.php of the component Certificate Verification Endpoint. Executing a manipulation of the argument nic can lead to sql injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The project was informed of the problem early through an issue report but has not responded yet."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "SQL Injection",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T01:15:08.800Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-369095 | Kushan2k student-management-system Certificate Verification Endpoint GradeController.php getStatus sql injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/369095"
},
{
"name": "VDB-369095 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/369095/cti"
},
{
"name": "CVE-2026-11475 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-11475"
},
{
"name": "Submit #833942 | Kushan2k student-management-system 1.0 SQL Injection",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/833942"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/Kushan2k/student-management-system/issues/2"
},
{
"tags": [
"product"
],
"url": "https://github.com/Kushan2k/student-management-system/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-07T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-07T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-07T11:43:00.000Z",
"value": "VulDB entry last update"
}
],
"title": "Kushan2k student-management-system Certificate Verification Endpoint GradeController.php getStatus sql injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-11475",
"datePublished": "2026-06-08T01:15:08.800Z",
"dateReserved": "2026-06-07T09:37:50.124Z",
"dateUpdated": "2026-06-08T16:33:03.185Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11474 (GCVE-0-2026-11474)
Vulnerability from cvelistv5 – Published: 2026-06-08 01:00 – Updated: 2026-06-09 14:44
VLAI
Title
Kushan2k student-management-system Registration Endpoint RegisterService.php unrestricted upload
Summary
A security flaw has been discovered in Kushan2k student-management-system up to f16a4ceaddd6729c4b306ed4641cda3176c1ef2a. Affected is an unknown function of the file service/RegisterService.php of the component Registration Endpoint. Performing a manipulation of the argument stimg results in unrestricted upload. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/369094 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/369094/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-11474 | third-party-advisory |
| https://vuldb.com/submit/833933 | third-party-advisory |
| https://github.com/Kushan2k/student-management-sy… | exploitissue-tracking |
| https://github.com/Kushan2k/student-management-system/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Kushan2k | student-management-system |
Affected:
f16a4ceaddd6729c4b306ed4641cda3176c1ef2a
cpe:2.3:a:kushan2k:student-management-system:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11474",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T14:43:21.347752Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T14:44:03.221Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:kushan2k:student-management-system:*:*:*:*:*:*:*:*"
],
"modules": [
"Registration Endpoint"
],
"product": "student-management-system",
"vendor": "Kushan2k",
"versions": [
{
"status": "affected",
"version": "f16a4ceaddd6729c4b306ed4641cda3176c1ef2a"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "SweetSour (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security flaw has been discovered in Kushan2k student-management-system up to f16a4ceaddd6729c4b306ed4641cda3176c1ef2a. Affected is an unknown function of the file service/RegisterService.php of the component Registration Endpoint. Performing a manipulation of the argument stimg results in unrestricted upload. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "Unrestricted Upload",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "Improper Access Controls",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T01:00:11.822Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-369094 | Kushan2k student-management-system Registration Endpoint RegisterService.php unrestricted upload",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/369094"
},
{
"name": "VDB-369094 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/369094/cti"
},
{
"name": "CVE-2026-11474 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-11474"
},
{
"name": "Submit #833933 | Kushan2k student-management-system 1.0 Unrestricted File Upload",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/833933"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/Kushan2k/student-management-system/issues/1"
},
{
"tags": [
"product"
],
"url": "https://github.com/Kushan2k/student-management-system/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-07T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-07T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-07T11:42:57.000Z",
"value": "VulDB entry last update"
}
],
"title": "Kushan2k student-management-system Registration Endpoint RegisterService.php unrestricted upload"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-11474",
"datePublished": "2026-06-08T01:00:11.822Z",
"dateReserved": "2026-06-07T09:37:47.515Z",
"dateUpdated": "2026-06-09T14:44:03.221Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}