CVE-2026-9562
Description
A vulnerability has been found in sambitraj STUDENT-MANAGEMENT-SYSTEM up to 56ba287f2e9031523ccb4244cb6e3fe530e4e5d5. The affected element is an unknown function of the component Dashboard. Such manipulation leads to improper access controls. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. Multiple endpoints are affected. The project was informed of the problem early through an issue report but has not responded yet.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Student Management System has missing authentication on dashboards and CRUD operations, allowing unauthenticated remote attackers full data access.
Vulnerability
A broken access control vulnerability exists in the sambitraj STUDENT-MANAGEMENT-SYSTEM up to commit 56ba287f2e9031523ccb4244cb6e3fe530e4e5d5 [1]. The backend dashboards (admin_dashboard.php, student_dashboard.php, teacher_dashboard.php) and all CRUD scripts (add_student.php, delete_student.php, admin_edit_student.php, etc.) use session_start() but do not verify that a valid authenticated session exists. This allows any unauthenticated user to directly access these scripts [2].
Exploitation
An attacker can exploit this vulnerability without any authentication or user interaction. By simply knowing or guessing the URL to any protected script (e.g., http://target.com/admin_dashboard.php), the attacker can send a GET request via browser or curl and receive the full response, including sensitive data and administrative functionality [2].
Impact
Successful exploitation gives the attacker complete unauthorized access to all student, teacher, and administrative data. The attacker can view, add, modify, and delete records, effectively taking control of the entire application's data and functionality [2].
Mitigation
The vendor has been notified via an issue report but has not responded [2]. As of the publication date, no official patch exists. Users must implement server-side session checks (e.g., if (!isset($_SESSION['email'])) { header('Location: login.php'); exit; }) in every dashboard and action script. This vulnerability is not listed on the CISA KEV.
- GitHub - sambitraj/STUDENT-MANAGEMENT-SYSTEM: "Student Management System (SMS) is a solution tool that is designed to track, maintain and manage all the data generated by a School, including the grades of a student.
- Global Broken Access Control – Unauthenticated Access to All Backend Dashboards and Administrative Actions
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <= 56ba287f2e9031523ccb4244cb6e3fe530e4e5d5
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing session-based authentication check in backend PHP scripts allows unauthenticated access to all dashboards and CRUD operations."
Attack vector
An unauthenticated attacker can directly access any backend dashboard or CRUD operation script by requesting its URL without a valid session cookie [ref_id=1][ref_id=2]. Each PHP file calls session_start() but never verifies that a legitimate session exists (e.g., no check like if (!isset($_SESSION['email']))). The attack is launched remotely over HTTP with no authentication required, and the attacker only needs to know or guess the file names (e.g., admin_dashboard.php, add_student.php). A simple curl request returns the full administrative dashboard and its sensitive data [ref_id=1][ref_id=2].
Affected code
The vulnerability affects all backend dashboard and data-manipulation PHP scripts in the STUDENT-MANAGEMENT-SYSTEM repository. The researcher identifies the following files: admin_dashboard.php, student_dashboard.php, teacher_dashboard.php, add_student.php, delete_student.php, admin_edit_student.php, and "all other action scripts" [ref_id=1][ref_id=2]. No patch is available; the project operates on a rolling release basis and has not responded to the issue report.
What the fix does
No patch has been published by the vendor. The project was informed via an issue report but has not responded [ref_id=1][ref_id=2]. The remediation guidance from the researcher is to add a session authentication check at the top of every backend script — for example, verifying that a valid session variable (such as $_SESSION['email']) is set before serving any content, and redirecting unauthenticated users to a login page [ref_id=1][ref_id=2].
Preconditions
- authNo authentication or valid session cookie required
- inputAttacker must know or guess the filenames of backend PHP scripts (e.g., admin_dashboard.php, add_student.php)
- networkTarget application must be reachable over the network
Reproduction
1. Without logging in (no valid session cookie), craft a URL to any protected resource, for example: `http://target.com/admin_dashboard.php` [ref_id=1][ref_id=2]. 2. Open the URL in a browser or send a GET request with curl: `curl -i -s http://target.com/admin_dashboard.php` [ref_id=1][ref_id=2]. 3. Observe that the full administrative dashboard is returned, including all management links and sensitive data [ref_id=1][ref_id=2]. 4. Similarly, directly call `add_student.php`, `delete_student.php`, etc., to insert or delete records without any credentials [ref_id=1][ref_id=2].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
0No linked articles in our index yet.