VYPR
← All advisories
High severity7.3NVD Advisory· Published May 26, 2026

CVE-2026-9517

CVE-2026-9517

Description

A vulnerability was determined in hemant6488 CodeIgniter-StudentManagementSystem. The affected element is an unknown function of the file /index.php/students/addStudentView of the component Student Management Handler. Executing a manipulation can lead to improper access controls. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The project was informed of the problem early through an issue report but has not responded yet.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Unauthenticated access to student management endpoints in hemant6488 CodeIgniter-StudentManagementSystem allows remote attackers to view, add, edit, and delete student records without authentication.

Vulnerability

The vulnerability is improper access control (missing authentication) in the Student Management System by hemant6488. The Students controller lacks authentication checks, allowing any unauthenticated user to access endpoints such as /index.php/students/addStudentView. The affected file is application/controllers/Students.php [1][2]. The project uses a rolling release, so specific version information is unavailable.

Exploitation

An attacker can remotely exploit by directly sending HTTP GET requests to the controller endpoints without any authentication. For example, curl.exe -i -s http://localhost:8000/index.php/students returns the full student list page [2]. Accessing /index.php/students/addStudentView allows adding new students; similarly, edit and delete operations are accessible. No user interaction or privileges are required [2].

Impact

Successful exploitation leads to unauthorized disclosure of sensitive student information (confidentiality breach) and the ability to create, modify, or delete student records (integrity loss) [2]. The attacker gains full access to student management functionality without authentication, potentially leading to data manipulation and reputational damage.

Mitigation

No official fix has been released. The project maintainer has not responded to the issue report [1][2]. As a rolling release project, no versioned patch is available. Workarounds include implementing authentication checks in the Students controller or restricting network access to the application until a fix is deployed.

References
  1. GitHub - hemant6488/CodeIgniter-StudentManagementSystem: Student Management System, using php, mysql, codeigniter and bootstrap.
  2. Unauthenticated Access to Student Management Functionality in `Students.php` Controller

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing authentication checks on the Students controller allows unauthenticated access to all student management functionality."

Attack vector

An attacker sends HTTP requests to the Students controller endpoints (e.g., /index.php/students, /index.php/students/addStudentView) without any authentication [ref_id=1]. The controller lacks login or privilege verification, so the server returns HTTP 200 responses with full student management pages and processes state-changing operations [ref_id=1]. The attack is remotely exploitable over the network with no privileges required.

Affected code

The entire Students controller at application/controllers/Students.php is affected [ref_id=1]. None of its methods — including those handling listing, adding, editing, and deleting students — implement authentication or authorization checks [ref_id=1].

What the fix does

No patch has been published; the project maintainer has not responded to the issue report [ref_id=1]. The advisory recommends implementing authentication checks in the Students controller — verifying the user is logged in and has appropriate privileges before allowing access to any method [ref_id=1]. Without such checks, all student management endpoints remain exposed to anonymous users.

Preconditions

  • networkAttacker must be able to reach the web application over HTTP.
  • inputNo authentication or session is required; the attacker simply sends requests to the Students controller endpoints.

Reproduction

1. Without logging in, run: `curl.exe -i -s http://localhost:8000/index.php/students` — observe the HTTP 200 response containing the full student list page [ref_id=1]. 2. Navigate to `http://localhost:8000/index.php/students/addStudentView` and submit the form to add a new student without authentication [ref_id=1]. 3. Call the appropriate delete endpoint to remove a student without authentication [ref_id=1].

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.