CVE-2026-11333
Deferred Deferred - Pending Action
Unrestricted File Upload in Tittuvarghese CollegeManagementSystem

Publication date: 2026-06-05

Last updated on: 2026-06-05

Assigner: VulDB

Description
A security vulnerability has been detected in tittuvarghese CollegeManagementSystem 3e476335cfbfb9a049e09f474c7ec885f69a9df3/a38852979f7e27ae67b610dce5979500ef8ebe01. The impacted element is an unknown function of the file dashboard_page/forms/upload_student_data.php of the component Student Data Upload Endpoint. Such manipulation of the argument Student-Data-CSV leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-05
Last Modified
2026-06-05
Generated
2026-06-25
AI Q&A
2026-06-05
EPSS Evaluated
2026-06-24
NVD
CVE-2026-11333
EUVD
EUVD-2026-34835
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tittuvarghese collegemanagementsystem *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows an attacker to perform unrestricted file uploads leading to remote code execution on the server. This can result in unauthorized access, modification, or disclosure of sensitive student data managed by the CollegeManagementSystem.

Such unauthorized access and potential data breaches could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls to protect personal and sensitive information from unauthorized access and disclosure.

Because the vulnerability enables remote code execution and potential data compromise, organizations using the affected system may face legal and regulatory risks if they fail to secure the system and protect personal data accordingly.

Executive Summary

CVE-2026-11333 is a critical security vulnerability in the CollegeManagementSystem that allows an attacker to perform an unrestricted file upload through the Student Data Upload Endpoint located in the file upload_student_data.php.

The vulnerability occurs because the system only checks the client-supplied Content-Type header to be 'application/csv' without properly validating the uploaded file's content or extension.

An attacker can exploit this by uploading a malicious PHP file disguised as a CSV file. The filename is constructed using user-controlled parameters without any extension whitelist, allowing the attacker to append '.php' to the filename.

The uploaded file is stored in a web-accessible directory where PHP execution is allowed, enabling the attacker to execute arbitrary code remotely by accessing the uploaded PHP file.

Impact Analysis

This vulnerability can lead to Remote Code Execution (RCE) on the affected server.

An attacker can upload and execute malicious PHP code remotely, potentially gaining full control over the server hosting the CollegeManagementSystem.

This could result in unauthorized access to sensitive data, modification or deletion of data, disruption of services, and further compromise of the network.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious HTTP POST requests to the endpoint dashboard_page/forms/upload_student_data.php that include multipart form data with a Content-Type header set to application/csv. Specifically, look for attempts to upload files with PHP code disguised as CSV files.

One way to detect exploitation attempts is to check for the presence of uploaded files with .php extensions in the web-accessible uploads directory (dashboard_page/forms/uploads/), especially files named using user-controlled parameters such as Program, Department, Course, Batch, and Year of Admission.

Suggested commands to detect this vulnerability include:

  • Using web server logs, grep for POST requests to the vulnerable endpoint: `grep 'POST /dashboard_page/forms/upload_student_data.php' /var/log/apache2/access.log`
  • Search for uploaded PHP files in the uploads directory: `find /path/to/dashboard_page/forms/uploads/ -name '*.php'`
  • Use network monitoring tools to detect HTTP requests with Content-Type: application/csv that contain suspicious payloads.
Mitigation Strategies

Immediate mitigation steps include:

  • Restrict file uploads by implementing strict server-side validation of uploaded files, including verifying file extensions and content, not relying solely on client-supplied Content-Type headers.
  • Disable execution of PHP files in the uploads directory by configuring the web server to prevent execution of scripts in that folder.
  • Monitor and remove any suspicious PHP files already uploaded to the uploads directory.
  • If possible, temporarily disable the Student Data Upload Endpoint until a patch or fix is available.
  • Apply any available updates or patches once the vendor responds or releases a fix.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11333. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart