CVE-2026-5472
Received Received - Intake
Unrestricted File Upload in ProjectsAndPrograms Profile Picture Handler

Publication date: 2026-04-03

Last updated on: 2026-04-29

Assigner: VulDB

Description
A flaw has been found in ProjectsAndPrograms School Management System up to 6b6fae5426044f89c08d0dd101c7fa71f9042a59. The affected element is an unknown function of the file /admin_panel/settings.php of the component Profile Picture Handler. This manipulation of the argument File causes unrestricted upload. Remote exploitation of the attack is possible. The exploit has been published and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-03
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-03
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5472
EUVD
EUVD-2026-18803
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
projectsandprograms school_management_system to 6b6fae5426044f89c08d0dd101c7fa71f9042a59 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-5472 is a vulnerability in the ProjectsAndPrograms School Management System that allows authenticated users with Admin or Teacher roles to upload malicious files through the profile picture upload feature.

Specifically, the flaw exists in the file /admin_panel/settings.php within the Profile Picture Handler component. An attacker can intercept the upload request and replace the uploaded file with a malicious PHP payload.

Once the malicious file is uploaded, the attacker can access it via a browser, causing the server to execute arbitrary PHP code remotely, potentially leading to full system compromise.

Impact Analysis

This vulnerability can have severe impacts including remote code execution on the affected server.

An attacker who successfully exploits this flaw can execute arbitrary PHP code, which may lead to full system compromise.

This could result in unauthorized access to sensitive data, disruption of services, data manipulation, or further attacks within the network.

Detection Guidance

This vulnerability can be detected by monitoring and intercepting HTTP POST requests to the endpoint handling profile picture uploads, specifically at /school-management-system-main/school-management-system-main/assets/updateProfilePic.php.

Using a web proxy tool like Burp Suite, you can capture and analyze the upload requests made by authenticated Admin or Teacher users to check if arbitrary files are being uploaded.

Commands or steps to detect the vulnerability include:

  • Authenticate as an Admin or Teacher user on the system.
  • Use a proxy tool (e.g., Burp Suite) to intercept the POST request to the profile picture upload endpoint.
  • Inspect the uploaded file parameter to see if it allows uploading of executable files such as PHP scripts.
  • After upload, verify if the server response includes the path to the uploaded file.
  • Attempt to access the uploaded file via a browser to check if arbitrary code execution is possible.
Mitigation Strategies

Immediate mitigation steps include restricting the types of files that can be uploaded through the profile picture upload feature to prevent executable files such as PHP scripts.

Ensure that only authenticated and authorized users (Admin or Teacher roles) can access the upload functionality.

Implement server-side validation to verify the file type and reject any suspicious or executable files.

Consider disabling direct access to uploaded files or storing them outside the web root to prevent execution.

Monitor logs for unusual upload activity and access to uploaded files.

Apply any available patches or updates from the vendor as soon as they are released.

Compliance Impact

The vulnerability allows authenticated users with Admin or Teacher roles to upload and execute arbitrary PHP code remotely, potentially leading to full system compromise.

Such a compromise could result in unauthorized access to sensitive personal data managed by the School Management System.

This unauthorized access and potential data breach could negatively impact compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5472. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart