CVE-2026-10272
Description
The Student-Management-System lacks authentication in admin/deleteform.php, allowing remote attackers to delete student records via the sid parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Student-Management-System lacks authentication in admin/deleteform.php, allowing remote attackers to delete student records via the sid parameter.
Vulnerability
The admin/deleteform.php script in a4m4/Student-Management-System up to commit f0c5f6842c5e8c431ff02b5260a565ca844df3a0 contains an improper authorization vulnerability [1]. The script fails to implement any session validation or authentication checks, such as session_start(), before processing incoming HTTP requests [1]. This allows the code path responsible for executing SQL DELETE statements to be reached by any user who can access the script directly [1].
Exploitation
An attacker can exploit this vulnerability remotely without requiring authentication or valid session cookies [1]. By sending a crafted HTTP GET request to admin/deleteform.php with a specific sid parameter, an attacker can trigger the deletion of arbitrary student records from the database [1]. The vulnerability is easily reproducible by navigating to the endpoint and providing an ID, which the server processes without redirecting the user to a login page [1].
Impact
Successful exploitation results in unauthorized data deletion and modification [1]. An attacker can wipe entire student databases by enumerating IDs or potentially leverage the sid parameter for SQL injection [1]. This leads to a loss of data integrity and availability, causing significant business disruption, and the lack of logging makes these actions difficult to trace [1].
Mitigation
No official patch or fix has been released by the project maintainers as of the publication date [1]. Users are advised to restrict access to the admin/ directory at the web server level or implement manual authentication checks within the affected PHP scripts to prevent unauthorized access.
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application fails to perform authentication or authorization checks on critical administrative scripts."
Attack vector
An unauthenticated remote attacker can trigger the vulnerability by sending a GET request to the admin/deleteform.php script [ref_id=1]. The attacker provides an arbitrary value for the sid parameter, which is then processed directly by the application to execute SQL deletion commands [ref_id=1]. This allows for unauthorized data manipulation without requiring a valid session or administrative privileges [ref_id=1].
Affected code
The vulnerability is located in the admin/deleteform.php file, specifically in the logic that processes the sid parameter from the HTTP request [ref_id=1]. The admin/updatedata.php script is also identified as lacking necessary access controls [ref_id=1].
What the fix does
No patch is currently available for this vulnerability [ref_id=1]. The advisory indicates that the affected scripts lack session validation and recommends implementing proper authentication and authorization checks, such as verifying session status before processing requests [ref_id=1].
Preconditions
- networkThe attacker must have network access to the web server hosting the Student-Management-System.
Reproduction
To reproduce the vulnerability, send a GET request to the delete endpoint without providing any session cookies: GET /admin/deleteform.php?sid=9999 HTTP/1.1 [ref_id=1]. A successful execution is indicated by an HTTP 200 OK response, confirming that the script processed the request without authentication [ref_id=1].
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
0No linked articles in our index yet.