CVE-2026-11533
Description
Improper authorization in imvks786 student_management_system's /see.php allows VIEW-privileged users to delete student records remotely.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Improper authorization in imvks786 student_management_system's /see.php allows VIEW-privileged users to delete student records remotely.
Vulnerability
An improper authorization vulnerability exists in the student deletion endpoint, specifically in the /see.php file of the imvks786 student_management_system up to commit 9599b560ad3c3b83e75d328b76bedcd489ef1f46. The del parameter is used to delete student records, but the DELETE query is executed before any authorization checks are performed [2]. This product uses a rolling release, so specific affected and updated versions are not available [1].
Exploitation
An attacker can exploit this vulnerability remotely by crafting a GET request to /see.php. The attacker needs to be logged in with a user account that has only VIEW permission, such as the default admin1 account. By including ?submit=submit&del=<student_id> in the request, the attacker can initiate the deletion of any student record, as the server-side authorization check occurs after the deletion query has already been executed [2].
Impact
Successful exploitation allows an attacker with VIEW privileges to delete any student record from the system. This leads to unauthorized data destruction and loss of integrity for student records. The scope of the compromise is limited to the data within the student management system that the attacker can identify and target for deletion [2].
Mitigation
No specific patched version or release date is available as the project has not responded to the issue report. Users are advised to implement custom access controls or monitor the GitHub repository for future updates. The project was informed early, but no fix has been released yet [1, 2].
- GitHub - imvks786/student_management_system: This is simple student management system coded in HTML, CSS, JAVASCRIPT AND PHP as front-end languages. And at backend the SQL server is used for query processing.
- VIEW-Privileged User Can Delete Student Records – Server‑Side Authorization Missing in `see.php`
AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: up to 9599b560ad3c3b83e75d328b76bedcd489ef1f46
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The student deletion logic in see.php executes the DELETE query before verifying the user's permissions."
Attack vector
An attacker can exploit this vulnerability by sending a crafted GET request to the /see.php endpoint with the 'submit' and 'del' parameters. This request can be made remotely by any user, including those with only VIEW privileges. The 'del' parameter specifies the ID of the student record to be deleted. The vulnerability lies in the fact that the DELETE query is executed immediately upon receiving the request, before any authorization checks are performed [ref_id=1].
Affected code
The vulnerability exists in the file /see.php, specifically within lines 7-20. The code first checks if the 'submit' GET parameter is set and then proceeds to execute a DELETE query using the 'del' GET parameter. The user's permission level is only checked after the deletion has already occurred [ref_id=1].
What the fix does
The advisory does not specify a patch or provide details on how the vulnerability is fixed. It notes that the project was informed but has not responded. Therefore, no fix explanation can be provided.
Preconditions
- authThe attacker must be logged in with at least VIEW privileges, such as the default 'admin1' account.
- inputThe attacker needs to know the ID of a student record to delete.
Reproduction
Log in as the VIEW user admin1 / admin. Obtain a valid PHPSESSID. Identify a target student ID (e.g., 1614). Send a GET request to /see.php?submit=submit&del=1614 with the session cookie. Observe that the response shows “RECORD DELETED!” and the total record count decreases, confirming the deletion succeeded [ref_id=1].
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
0No linked articles in our index yet.