Description
A security flaw has been discovered in Kushan2k student-management-system up to f16a4ceaddd6729c4b306ed4641cda3176c1ef2a. Affected is an unknown function of the file service/RegisterService.php of the component Registration Endpoint. Performing a manipulation of the argument stimg results in unrestricted upload. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-06-08
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unrestricted upload flaw in the student‑management‑system, located in the RegisterService.php handler for the registration endpoint. By manipulating the stimg argument, an attacker can upload any file type to the server. Because the upload is not subject to type checks or size limits, a malicious payload could be placed in a location where it might be executed or used to expose sensitive data, potentially leading to code execution or other integrity violations.

Affected Systems

This issue affects all releases of the Kushan2k student‑management‑system up to the revision f16a4ceaddd6729c4b306ed4641cda3176c1ef2a. The project employs a rolling release model, so specific fixed versions are not yet published. Administrators who run any instance of the application may be vulnerable.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate to high severity. An attacker can trigger the flaw remotely via the public registration endpoint, and a proof‑of‑concept exploit has already been released. No EPSS data is available and the vulnerability is not yet listed in the CISA KEV catalog. Because the upload is unrestricted, the success of an attack largely depends on whether the web server is configured to execute uploaded files; if execution is possible, the impact could be equivalent to remote code execution.

Generated by OpenCVE AI on June 8, 2026 at 02:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest release of the student‑management‑system once a vendor fix is available
  • Add server‑side validation to the upload handler that checks file extensions and MIME types against an allowlist and rejects everything else
  • Store uploaded files outside the web‑root or configure the upload directory as non‑executable to prevent accidental execution
  • If the application cannot be updated, disable the registration endpoint or restrict it to trusted users only
  • Monitor log files for abnormal upload activity and alert on unexpected file types

Generated by OpenCVE AI on June 8, 2026 at 02:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 01:15:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in Kushan2k student-management-system up to f16a4ceaddd6729c4b306ed4641cda3176c1ef2a. Affected is an unknown function of the file service/RegisterService.php of the component Registration Endpoint. Performing a manipulation of the argument stimg results in unrestricted upload. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet.
Title Kushan2k student-management-system Registration Endpoint RegisterService.php unrestricted upload
First Time appeared Kushan2k
Kushan2k student-management-system
Weaknesses CWE-284
CWE-434
CPEs cpe:2.3:a:kushan2k:student-management-system:*:*:*:*:*:*:*:*
Vendors & Products Kushan2k
Kushan2k student-management-system
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Kushan2k Student-management-system
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-08T01:00:11.822Z

Reserved: 2026-06-07T09:37:47.515Z

Link: CVE-2026-11474

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-08T01:16:23.073

Modified: 2026-06-08T01:16:23.073

Link: CVE-2026-11474

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T02:30:13Z

Weaknesses