CVE-2026-10777
Description
Improper authentication in ealpha072 Student-Management-System allows remote attackers to access the administrative backend.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Improper authentication in ealpha072 Student-Management-System allows remote attackers to access the administrative backend.
Vulnerability
A vulnerability exists in the administrative backend of the ealpha072 Student-Management-System up to commit 01451bd7a2f58cdda07bd0b86e3967582e3ecd08. Specifically, the admin/config.php file includes a commented-out session_start(); call, preventing any session initialization. This affects potentially all pages under the admin/ directory, including admin/dashboard.php [2]. The project uses a rolling release model, so specific version numbers are not disclosed [1].
Exploitation
An attacker can exploit this vulnerability by sending a direct GET request to an administrative page, such as admin/dashboard.php, without requiring any authentication or valid session cookies. The absence of session_start() means that any subsequent checks for logged-in administrators will fail, allowing unauthenticated access to the administrative interface [2].
Impact
Successful exploitation allows any unauthenticated remote attacker to gain full access to the administrative backend. This includes the ability to view, add, edit, and delete students, courses, units, and departments, effectively compromising the integrity and confidentiality of the system's data [1, 2].
Mitigation
As of the available references, no patch or fixed version has been released, and the project has not yet responded to the issue report [1, 2]. There are no disclosed workarounds. The project's rolling release system means specific version information for fixes is not provided [1].
AI Insight generated on Jun 4, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: up to 01451bd7a2f58cdda07bd0b86e3967582e3ecd08
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The administrative backend fails to start PHP sessions, preventing authentication checks from functioning."
Attack vector
An attacker can remotely access administrative pages without authentication. This is because the `admin/config.php` file has `session_start();` commented out, and subsequent pages like `admin/dashboard.php` do not verify if a user is authenticated. By sending a GET request to `admin/dashboard.php` without any session cookie, an attacker receives the full administrative interface with HTTP 200 OK [ref_id=1].
Affected code
The vulnerability resides in `admin/config.php` where the `session_start();` call is commented out, and in `admin/dashboard.php` which includes a header without verifying authentication. These files are part of the administrative backend of the Student-Management-System [ref_id=1].
What the fix does
The advisory does not specify a patch or provide remediation guidance. The project was informed of the problem but has not responded yet. Therefore, no fix explanation can be provided.
Preconditions
- authNo authentication is required to exploit this vulnerability.
- networkThe vulnerability is accessible remotely.
Reproduction
Without any valid session cookie, or with an empty/invalid session, send a GET request to the admin dashboard: http://127.0.0.1:3000/admin/dashboard.php. The server responds with HTTP 200 OK and the full HTML of the admin dashboard, including administrative links and features [ref_id=1].
Generated on Jun 3, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
0No linked articles in our index yet.