CVE-2026-11474
Description
Unrestricted file upload vulnerability in Kushan2k student-management-system allows remote code execution via the registration endpoint.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unrestricted file upload vulnerability in Kushan2k student-management-system allows remote code execution via the registration endpoint.
Vulnerability
A security flaw exists in the Kushan2k student-management-system up to commit f16a4ceaddd6729c4b306ed4641cda3176c1ef2a, specifically within the Registration Endpoint's file service (service/RegisterService.php). The system fails to validate uploaded files beyond their size, allowing arbitrary file types, including executable scripts, to be uploaded to a web-accessible directory.
Exploitation
An attacker can exploit this vulnerability by submitting a crafted multipart POST request to the registration endpoint. This request should contain a malicious file (e.g., a .php web shell) disguised as a student profile image (stimg). The server saves the uploaded file to the public/profiles/ directory without proper validation, making it directly accessible via a URL constructed with the timestamp and original filename.
Impact
Successful exploitation allows an attacker to achieve Remote Code Execution (RCE) on the server. By uploading a web shell and accessing it through its URL, an attacker can execute arbitrary commands with the privileges of the web server process, potentially leading to a full system compromise.
Mitigation
No specific patched version or release date is available due to the project's rolling release model and lack of response from the developers. As of the available references, no official mitigation or workaround has been provided. The project was aware of the issue via an issue report [1].
AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: up to f16a4ceaddd6729c4b306ed4641cda3176c1ef2a
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The registration endpoint fails to validate uploaded file types, allowing arbitrary file uploads."
Attack vector
An attacker can send a multipart POST request to the registration endpoint, including a malicious PHP file disguised as a student image. The server-side code in `service/RegisterService.php` moves the uploaded file to the web-accessible `public/profiles/` directory without validating its extension or MIME type. Since the server is configured to execute PHP scripts in this directory, the attacker can then access the uploaded PHP file via a direct HTTP request to achieve remote code execution [ref_id=1].
Affected code
The vulnerability lies within the `service/RegisterService.php` file, specifically in the code responsible for handling the uploaded student image (`stimg`). The code snippet provided shows that after a basic size check, the file is moved to `../public/profiles/` using `move_uploaded_file` without any validation of the file's extension or content type [ref_id=1].
What the fix does
The advisory does not specify a patch or provide remediation guidance. The project was informed of the vulnerability but has not responded. Therefore, no fix is currently available.
Preconditions
- inputThe attacker must provide a file with a .php extension and malicious PHP code.
- networkThe attacker must be able to send POST requests to the registration endpoint.
- authNo authentication is required to access the registration form [ref_id=1].
Reproduction
```bash # Prepare a minimal PHP payload, e.g., poc.php # Send a multipart POST request to the registration endpoint (controllers/RegisterController.php) curl -i -s -X POST \ -H "Cookie: PHPSESSID=87hig7j6b98lntagr1ro3tmrpu" \ -F "stname=poc-test" \ -F "pname=parent" \ -F "staddress=addr" \ -F "stdob=2000-01-01" \ -F "stemail=poc_$(date +%s)@example.com" \ -F "stcontact=0700000000" \ -F "gender=male" \ -F "stregdate=2026-05-20" \ -F "course=1" \ -F "nic=12345" \ -F "register=1" \ -F "stimg=@poc.php;type=application/octet-stream;filename=poc.php" \ http://127.0.0.1:3000/controllers/RegisterController.php
# Verify code execution by requesting the uploaded file GET /public/profiles/{timestamp}poc.php HTTP/1.1 Host: 127.0.0.1:3000 ``` [ref_id=1]
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
0No linked articles in our index yet.