CVE-2026-10777 - Vulnerability Details

- ealpha072 Student-Management-System Administrative Backend config.php improper authentication

Description

A vulnerability was identified in ealpha072 Student-Management-System up to 01451bd7a2f58cdda07bd0b86e3967582e3ecd08. Affected by this issue is some unknown functionality of the file admin/config.php of the component Administrative Backend. Such manipulation leads to improper authentication. The attack may be performed from remote. The exploit is publicly available and might be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has not responded yet.

Published: 2026-06-03

Score: 6.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is triggered by an insufficient authentication check in the admin/config.php file of the Student‑Management‑System. This flaw allows an unauthenticated or low‑privileged user to gain administrative access by manipulating requests or bypassing the expected authentication workflow. As a result, an attacker could read, modify, or delete configuration settings, potentially leading to a full compromise of the management system.

Affected Systems

The affected product is ealpha072 Student‑Management‑System, up to the code revision 01451bd7a2f58cdda07bd0b86e3967582e3ecd08. The public repository contains the vulnerable component in the Administrative Backend, but the project does not publish explicit version numbers for releases due to its rolling‑release model.

Risk and Exploitability

The CVSS score of 6.9 classifies the flaw as a moderate risk. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, indicating no known exploitation campaigns at the time of writing. However, the exploit code is publicly available, and the vulnerability can be triggered remotely, making it a realistic threat for exposed instances of the application.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

ealpha072

Student-Management-System

affected

Version	Status	Constraints
`01451bd7a2f58cdda07bd0b86e3967582e3ecd08`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Restrict external access to the administrative backend using firewall rules or IP whitelisting to limit the attack surface.
Enable detailed logging for authentication attempts and monitor logs for suspicious access patterns, alerting on repeated failures or unexpected user agents.
When a vendor patch or update becomes available, upgrade the Student‑Management‑System to a version that removes the improper authentication check; meanwhile, verify the running code against the commit hash to confirm vulnerability status.

Generated by OpenCVE AI on June 4, 2026 at 00:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00098.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/ealpha072/Student-Management-System/
https://github.com/ealpha072/Student-Management-System/issues/2
https://vuldb.com/cve/CVE-2026-10777
https://vuldb.com/submit/831445
https://vuldb.com/vuln/368139
https://vuldb.com/vuln/368139/cti

History

Thu, 04 Jun 2026 13:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 03 Jun 2026 23:00:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was identified in ealpha072 Student-Management-System up to 01451bd7a2f58cdda07bd0b86e3967582e3ecd08. Affected by this issue is some unknown functionality of the file admin/config.php of the component Administrative Backend. Such manipulation leads to improper authentication. The attack may be performed from remote. The exploit is publicly available and might be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has not responded yet.
Title		ealpha072 Student-Management-System Administrative Backend config.php improper authentication
First Time appeared		Ealpha072 Ealpha072 student-management-system
Weaknesses		CWE-287
CPEs		cpe:2.3:a:ealpha072:student-management-system::::::::
Vendors & Products		Ealpha072 Ealpha072 student-management-system
References		https://github.com/ealpha072/Student-Management-System/ https://github.com/ealpha072/Student-Management-System/issues/2 https://vuldb.com/cve/CVE-2026-10777 https://vuldb.com/submit/831445 https://vuldb.com/vuln/368139 https://vuldb.com/vuln/368139/cti
Metrics		cvssV2_0 `{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Ealpha072 Student-management-system

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-06-03T22:30:08.399Z

Updated: 2026-06-04T12:52:40.113Z

Reserved: 2026-06-03T15:54:26.882Z

Link: CVE-2026-10777

Vulnrichment

Updated: 2026-06-04T12:48:32.728Z

NVD

Status : Received

Published: 2026-06-03T23:16:17.280

Modified: 2026-06-04T14:16:35.963

Link: CVE-2026-10777

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-04T00:30:45Z

Weaknesses

CWE-287

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object