Description
A security vulnerability has been detected in Kushan2k student-management-system up to f16a4ceaddd6729c4b306ed4641cda3176c1ef2a. Affected by this issue is the function edit-admin of the file controllers/AdminController.php of the component Profile Update Endpoint. The manipulation of the argument isadmin leads to improper authorization. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-06-08
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability in the Kushan2k student-management-system allows manipulation of the "isadmin" argument in the edit-admin function of AdminController.php. By altering this parameter, an attacker can bypass the intended authorization controls and gain administrator privileges within the application. The defect is a direct result of improper authorization checks and is listed in CWE-266 and CWE-285.

Affected Systems

The flaw affects the Kushan2k student-management-system application. No specific release numbers are provided, as the project follows a rolling‑release model and does not disclose affected commit hashes publicly. Administrators should consider that any deployment of the application preceding the fix could be vulnerable.

Risk and Exploitability

The CVSS score is 5.3, indicating a moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Attackers can possibly exploit the flaw remotely by sending a crafted HTTP request to the edit‑admin endpoint with the "isadmin" parameter altered, thereby escalating privileges. Because the vulnerability is caused by an inadequate auth check rather than a denial‑of‑service flaw, the impact would primarily be confidentiality and integrity loss for the system and its data.

Generated by OpenCVE AI on June 8, 2026 at 03:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the application to the latest release from the Kushan2k repository to remove the vulnerable code.
  • Apply role‑based access control in the edit-admin endpoint, ensuring that only authenticated users with administrative role can perform admin updates.
  • Eliminate the client‑side usage of the "isadmin" parameter entirely and perform server‑side validation of administrative privileges before applying any changes.

Generated by OpenCVE AI on June 8, 2026 at 03:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 02:00:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in Kushan2k student-management-system up to f16a4ceaddd6729c4b306ed4641cda3176c1ef2a. Affected by this issue is the function edit-admin of the file controllers/AdminController.php of the component Profile Update Endpoint. The manipulation of the argument isadmin leads to improper authorization. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The project was informed of the problem early through an issue report but has not responded yet.
Title Kushan2k student-management-system Profile Update Endpoint AdminController.php edit-admin improper authorization
First Time appeared Kushan2k
Kushan2k student-management-system
Weaknesses CWE-266
CWE-285
CPEs cpe:2.3:a:kushan2k:student-management-system:*:*:*:*:*:*:*:*
Vendors & Products Kushan2k
Kushan2k student-management-system
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Kushan2k Student-management-system
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-08T01:30:09.326Z

Reserved: 2026-06-07T09:37:52.667Z

Link: CVE-2026-11476

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-08T02:16:23.747

Modified: 2026-06-08T02:16:23.747

Link: CVE-2026-11476

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T04:00:06Z

Weaknesses