CVE-2026-10272
Improper Authorization in a4m4 Student-Management-System
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| a4m4 | student-management-system | to f0c5f6842c5e8c431ff02b5260a565ca844df3a0 (exc) |
| a4m4 | student-management-system | to f0c5f6842c5e8c431ff02b5260a565ca844df3a0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized deletion and modification of student records, causing data loss and business disruption.
- Loss of data integrity due to unauthorized changes.
- Potential disruption of business operations relying on accurate student data.
- Complete anonymity for attackers, making it difficult to trace malicious actions.
Can you explain this vulnerability to me?
The vulnerability CVE-2026-10272 exists in the a4m4 Student-Management-System, specifically in the admin/deleteform.php script. This script lacks any authentication or authorization checks, allowing an attacker to send crafted HTTP GET requests with manipulated parameters (such as sid) to delete student records without logging in.
Because the script directly processes these requests and executes SQL commands without verifying user sessions or permissions, an attacker can perform unauthorized deletions or modifications of student data remotely and anonymously.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized HTTP GET requests to the administrative scripts, specifically to the endpoint admin/deleteform.php with the sid parameter.
A simple detection method is to check your web server logs for requests similar to: http://<your-server>/admin/deleteform.php?sid=<some_id> where no valid authentication or session is present.
You can use commands like the following to search for suspicious requests in your web server access logs:
- grep 'admin/deleteform.php?sid=' /var/log/apache2/access.log
- grep 'admin/deleteform.php?sid=' /var/log/nginx/access.log
Additionally, monitoring for unexpected deletions or modifications in the student records database can help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing proper authentication and authorization checks on the admin/deleteform.php and admin/updatedata.php scripts to prevent unauthenticated access.
Until a patch or update is available, you can restrict access to these administrative endpoints by IP whitelisting or using web server access controls.
Another temporary measure is to disable or restrict these scripts if they are not actively needed.
Monitoring logs for suspicious activity and backing up data regularly will also help mitigate potential damage.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated and unauthorized access to critical administrative functions, enabling attackers to delete or modify student records without any session validation or permission checks.
Such unauthorized manipulation of student data can lead to violations of data integrity and availability requirements mandated by common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of personal data.
The lack of authentication and authorization mechanisms in the affected system increases the risk of data breaches and unauthorized data alterations, potentially resulting in non-compliance with these regulations.