CVE-2026-10272
Deferred Deferred - Pending Action
Improper Authorization in a4m4 Student-Management-System

Publication date: 2026-06-01

Last updated on: 2026-06-01

Assigner: VulDB

Description
A vulnerability has been found in a4m4 Student-Management-System up to f0c5f6842c5e8c431ff02b5260a565ca844df3a0. The impacted element is an unknown function of the file admin/deleteform.php. Such manipulation of the argument sid leads to improper authorization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-01
Generated
2026-06-21
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2026-10272
EUVD
EUVD-2026-33661
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
a4m4 student-management-system to f0c5f6842c5e8c431ff02b5260a565ca844df3a0 (exc)
a4m4 student-management-system to f0c5f6842c5e8c431ff02b5260a565ca844df3a0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can lead to unauthorized deletion and modification of student records, causing data loss and business disruption.

  • Loss of data integrity due to unauthorized changes.
  • Potential disruption of business operations relying on accurate student data.
  • Complete anonymity for attackers, making it difficult to trace malicious actions.
Executive Summary

The vulnerability CVE-2026-10272 exists in the a4m4 Student-Management-System, specifically in the admin/deleteform.php script. This script lacks any authentication or authorization checks, allowing an attacker to send crafted HTTP GET requests with manipulated parameters (such as sid) to delete student records without logging in.

Because the script directly processes these requests and executes SQL commands without verifying user sessions or permissions, an attacker can perform unauthorized deletions or modifications of student data remotely and anonymously.

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized HTTP GET requests to the administrative scripts, specifically to the endpoint admin/deleteform.php with the sid parameter.

A simple detection method is to check your web server logs for requests similar to: http://<your-server>/admin/deleteform.php?sid=<some_id> where no valid authentication or session is present.

You can use commands like the following to search for suspicious requests in your web server access logs:

  • grep 'admin/deleteform.php?sid=' /var/log/apache2/access.log
  • grep 'admin/deleteform.php?sid=' /var/log/nginx/access.log

Additionally, monitoring for unexpected deletions or modifications in the student records database can help detect exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include implementing proper authentication and authorization checks on the admin/deleteform.php and admin/updatedata.php scripts to prevent unauthenticated access.

Until a patch or update is available, you can restrict access to these administrative endpoints by IP whitelisting or using web server access controls.

Another temporary measure is to disable or restrict these scripts if they are not actively needed.

Monitoring logs for suspicious activity and backing up data regularly will also help mitigate potential damage.

Compliance Impact

The vulnerability allows unauthenticated and unauthorized access to critical administrative functions, enabling attackers to delete or modify student records without any session validation or permission checks.

Such unauthorized manipulation of student data can lead to violations of data integrity and availability requirements mandated by common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of personal data.

The lack of authentication and authorization mechanisms in the affected system increases the risk of data breaches and unauthorized data alterations, potentially resulting in non-compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10272. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart