CVE-2026-10619
Description
A vulnerability was detected in sayan365 student-management-system up to 7f3c9ce7d410332335c2affac93a385485051800. This impacts an unknown function. The manipulation results in improper authentication. The attack can be executed remotely. The exploit is now public and may be used. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. Multiple endpoints are affected. The project was informed of the problem early through an issue report but has not responded yet.
Affected products
1- Range: up to 7f3c9ce7d410332335c2affac93a385485051800
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Improper authentication checks allow unauthenticated access to sensitive pages."
Attack vector
The vulnerability affects multiple endpoints, including `edit_attendance.php` and `edit_subject.php` [ref_id=1, ref_id=2]. An attacker can remotely access these pages without any authentication by simply knowing the file path and providing a relevant GET parameter, such as an ID [ref_id=1, ref_id=2]. The application fails to check for a valid login session before processing requests. This allows an attacker to view and modify attendance or subject records by sending crafted GET and POST requests [ref_id=1, ref_id=2].
Affected code
The vulnerability exists in `edit_attendance.php` and `edit_subject.php` [ref_id=1, ref_id=2]. Specifically, these files include database connections and process requests based on GET parameters like 'id' without performing any session validation or authentication checks [ref_id=1, ref_id=2]. For instance, `edit_subject.php` calls `session_start()` but does not verify if a user is actually logged in [ref_id=2].
What the fix does
The advisory does not specify a patch or provide details on remediation. The project was informed of the problem but has not responded. Therefore, no fix explanation can be provided.
Preconditions
- networkThe attacker can reach the vulnerable application over the network.
- inputThe attacker needs to know the file path of the vulnerable script (e.g., edit_attendance.php) and a valid ID parameter.
Reproduction
GET /edit_attendance.php?id=1 HTTP/1.1 Host: 127.0.0.1:3000 Connection: close User-Agent: PoC Accept: /
GET /edit_subject.php?id=1 HTTP/1.1 Host: 127.0.0.1:3000 Connection: close User-Agent: PoC Accept: /
Subsequent POST requests to the same URLs can modify data without authentication [ref_id=1, ref_id=2].
Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
11- github.com/sayan365/student-management-system/issues/3nvd
- github.com/sayan365/student-management-system/issues/4nvd
- vuldb.com/cve/CVE-2026-10619nvd
- vuldb.com/submit/829545nvd
- vuldb.com/submit/829562nvd
- vuldb.com/submit/829566nvd
- vuldb.com/submit/829567nvd
- vuldb.com/submit/829568nvd
- vuldb.com/submit/829569nvd
- vuldb.com/vuln/367927nvd
- vuldb.com/vuln/367927/ctinvd
News mentions
0No linked articles in our index yet.