Description
A vulnerability has been found in a4m4 Student-Management-System up to f0c5f6842c5e8c431ff02b5260a565ca844df3a0. The impacted element is an unknown function of the file admin/deleteform.php. Such manipulation of the argument sid leads to improper authorization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-06-01
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the admin/deleteform.php file of a4m4 Student-Management-System allows an attacker to manipulate the sid argument, bypassing the intended authorization checks and deleting records without proper privilege. The vulnerability is an improper authorization flaw, rooted in CWE-266 and CWE-285, that can be exploited remotely by unauthenticated or improperly authenticated users who direct requests to this endpoint. The impact is the loss of data integrity and potential data loss, as records can be removed at the attacker’s discretion.

Affected Systems

The affected product is a4m4 Student-Management-System. No specific version numbers are listed because the project uses rolling releases; the vulnerable state exists in the code base up to commit f0c5f6842c5e8c431ff02b5260a565ca844df3a0.

Risk and Exploitability

The flaw carries a CVSS score of 6.9, indicating moderate severity. EPSS data is not available, so the precise exploit probability is unknown, but the fact that the vulnerability can be triggered remotely and the public disclosure of an exploit raise the risk profile. The vulnerability is not currently listed in CISA’s KEV catalog. The likely attack vector is a remote HTTP request to deleteform.php with a crafted sid parameter, possibly from an unauthenticated or minimally privileged user.

Generated by OpenCVE AI on June 1, 2026 at 18:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the a4m4 repository for a patch that enforces proper authorization on delete operations; update to the latest commit that includes the fix.
  • Review the implementation of deleteform.php to ensure that every delete request verifies that the current user has an administrator role before performing the operation; if not present, implement role-based access control.
  • Restrict access to the admin area to IP ranges that belong to the organization or require multi-factor authentication to reduce the risk of unauthorized access.
  • As a temporary workaround, block direct HTTP requests to deleteform.php from unauthenticated sources or enforce token‑based protection at the web server level.

Generated by OpenCVE AI on June 1, 2026 at 18:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in a4m4 Student-Management-System up to f0c5f6842c5e8c431ff02b5260a565ca844df3a0. The impacted element is an unknown function of the file admin/deleteform.php. Such manipulation of the argument sid leads to improper authorization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet.
Title a4m4 Student-Management-System deleteform.php improper authorization
First Time appeared A4m4
A4m4 student-management-system
Weaknesses CWE-266
CWE-285
CPEs cpe:2.3:a:a4m4:student-management-system:*:*:*:*:*:*:*:*
Vendors & Products A4m4
A4m4 student-management-system
References
Metrics cvssV2_0

{'score': 6.4, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

A4m4 Student-management-system
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-01T17:47:00.257Z

Reserved: 2026-05-31T14:16:11.213Z

Link: CVE-2026-10272

cve-icon Vulnrichment

Updated: 2026-06-01T17:46:57.013Z

cve-icon NVD

Status : Deferred

Published: 2026-06-01T17:16:43.700

Modified: 2026-06-01T17:57:16.380

Link: CVE-2026-10272

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T18:30:06Z

Weaknesses