Description
A flaw has been found in a4m4 Student-Management-System up to f0c5f6842c5e8c431ff02b5260a565ca844df3a0. The affected element is an unknown function of the file admin/ of the component Admin Endpoint. This manipulation of the argument uid causes execution after redirect. It is possible to initiate the attack remotely. The exploit has been published and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. Multiple endpoints are affected. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-06-01
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from an unknown function in the admin/ component of the Student‑Management‑System. By manipulating the uid argument, an attacker can trigger an unintended redirect after authentication, creating an open‑redirect scenario that may be leveraged for phishing or credential‑stealing attacks. This issue is related to CWE‑698 (Untrusted Redirect) and CWE‑705 (Link Location Manipulation). The attackers do not gain direct code execution on the server; the impact is limited to the redirection of authenticated users to arbitrary URLs.

Affected Systems

The software is known as Student‑Management‑System by a4m4, with affected code up to commit f0c5f6842c5e8c431ff02b5260a565ca844df3a0. Because the project follows a rolling‑release model, no discrete version numbers are available, and the fix may have been published in the latest commit. Several endpoints in the admin/ namespace are affected, so any instance using the unpatched code is vulnerable.

Risk and Exploitability

The CVSS score of 5.3 denotes a medium severity, but the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a crafted HTTP request to the vulnerable admin endpoint, which is accessible remotely and requires only network access to the host. Attackers can supply a malicious uid value that causes the application to redirect points of entry users to arbitrary sites, raising the risk profile for exposed deployments. The overall risk is moderate but can become high if the admin interface is reachable from untrusted networks.

Generated by OpenCVE AI on June 1, 2026 at 19:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Pull the latest commit from the a4m4 repository that implements input sanitization or removes the unrestricted redirect logic in the admin/ component.
  • Restrict access to the admin/ endpoints by enforcing IP‑based rules or configuring the web server to allow only authenticated administrators to reach this namespace.
  • Implement server‑side validation of the uid parameter: accept only whitelisted target URLs or use a safe redirect mechanism that does not trust user input.
  • Monitor application logs for abnormal uid values or repeated redirect attempts, and coordinate with the project maintainers for a formal patch.

Generated by OpenCVE AI on June 1, 2026 at 19:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
Description A flaw has been found in a4m4 Student-Management-System up to f0c5f6842c5e8c431ff02b5260a565ca844df3a0. The affected element is an unknown function of the file admin/ of the component Admin Endpoint. This manipulation of the argument uid causes execution after redirect. It is possible to initiate the attack remotely. The exploit has been published and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. Multiple endpoints are affected. The project was informed of the problem early through an issue report but has not responded yet.
Title a4m4 Student-Management-System Admin Endpoint admin redirect
First Time appeared A4m4
A4m4 student-management-system
Weaknesses CWE-698
CWE-705
CPEs cpe:2.3:a:a4m4:student-management-system:*:*:*:*:*:*:*:*
Vendors & Products A4m4
A4m4 student-management-system
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

A4m4 Student-management-system
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-01T18:14:51.309Z

Reserved: 2026-05-31T14:16:08.582Z

Link: CVE-2026-10271

cve-icon Vulnrichment

Updated: 2026-06-01T18:14:47.336Z

cve-icon NVD

Status : Deferred

Published: 2026-06-01T17:16:43.500

Modified: 2026-06-01T17:57:16.380

Link: CVE-2026-10271

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T21:00:14Z

Weaknesses
  • CWE-698

    Execution After Redirect (EAR)

  • CWE-705

    Incorrect Control Flow Scoping