CVE-2026-11532
Description
Improper access controls in imvks786 student_management_system allow any logged-in user to add or delete student records.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Improper access controls in imvks786 student_management_system allow any logged-in user to add or delete student records.
Vulnerability
A weakness exists in the imvks786 student_management_system up to commit 9599b560ad3c3b83e75d328b76bedcd489ef1f46 within the /add.php file. The server-side endpoints for adding and deleting student records do not enforce role-based access control, only checking if a user is logged in. This affects all versions up to the specified commit, as the project uses a rolling release system and does not disclose specific version information [1].
Exploitation
An attacker needs to be logged in as any user, including one with only 'VIEW' privileges. The attacker can then bypass the intended UI restrictions by directly crafting and sending HTTP requests. Specifically, a POST request to /add.php with student data allows adding records, and a GET request to /see.php?del=<record_id> allows deleting records, regardless of the user's actual permissions [1].
Impact
Successful exploitation allows any authenticated user, even those with minimal 'VIEW' privileges, to add new student records and delete existing student records. This leads to unauthorized data manipulation and potential data loss within the student management system [1].
Mitigation
As of the available references, no patch or fixed version has been released, and the project has not responded to the issue report. There are no disclosed workarounds. The project's status regarding end-of-life or KEV listing is not mentioned in the provided references [1, 2].
AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <9599b560ad3c3b83e75d328b76bedcd489ef1f46
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The server-side endpoint for adding student records does not enforce role-based access control."
Attack vector
An attacker can exploit this vulnerability by crafting a POST request to the `/add.php` endpoint. This request must include the necessary student data and be sent after the attacker has authenticated as a user with VIEW privileges. The server-side script in `/add.php` only checks if the user is logged in, not their specific permission level, allowing unauthorized users to add records remotely [ref_id=1].
Affected code
The vulnerability resides in the `add.php` script, specifically within lines 3–21. This script handles the student addition endpoint and fails to implement proper server-side authorization checks. The `see.php` script is also mentioned as affected, as it executes deletion before loading user permissions [ref_id=1].
What the fix does
The advisory does not specify any patches or fixes. It indicates that the project was informed of the problem but has not responded. Therefore, no remediation guidance is available at this time.
Preconditions
- authThe attacker must be authenticated as a user with VIEW privileges.
- networkThe attacker must be able to send requests to the target server remotely.
Reproduction
Log in as the VIEW user: admin1 / admin. After successful login, capture the PHPSESSID cookie. Send a POST request to add.php with the required student data – the record is successfully created despite the user having only VIEW permission [ref_id=1].
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
0No linked articles in our index yet.