CVE-2026-11335
Deferred Deferred - Pending Action
Session Fixation in tittuvarghese CollegeManagementSystem

Publication date: 2026-06-05

Last updated on: 2026-06-05

Assigner: VulDB

Description
A flaw has been found in tittuvarghese CollegeManagementSystem 3e476335cfbfb9a049e09f474c7ec885f69a9df3/a38852979f7e27ae67b610dce5979500ef8ebe01. This impacts the function session_start of the file /login-form.php. Executing a manipulation of the argument UserAuthData can lead to session fixiation. The attack can be launched remotely. The exploit has been published and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-05
Last Modified
2026-06-05
Generated
2026-06-13
AI Q&A
2026-06-05
EPSS Evaluated
2026-06-12
NVD
CVE-2026-11335
EUVD
EUVD-2026-34842
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tittuvarghese collegemanagementsystem *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-384 Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The session fixation vulnerability in CollegeManagementSystem allows an attacker to take over user accounts, including those with administrative privileges, by reusing a fixed session ID. This leads to unauthorized access and potential exposure of sensitive personal data.

Such unauthorized access and potential data exposure can violate common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information, proper user authentication, and prevention of unauthorized access.

Therefore, this vulnerability negatively impacts compliance by undermining the confidentiality and integrity of user data and authentication mechanisms.

Executive Summary

CVE-2026-11335 is a session fixation vulnerability in the CollegeManagementSystem's login process. The issue arises because the system starts a session with session_start() but does not regenerate the session ID after a user successfully logs in. This allows an attacker to set a predetermined session ID on a victim's browser before login.

When the victim logs in, they unknowingly use the attacker's fixed session ID. The attacker can then reuse this session ID to access the victim's authenticated session, effectively taking over the victim's account without needing their credentials.

Impact Analysis

This vulnerability can lead to full account takeover by an attacker. The attacker can gain unauthorized access to a victim's account, including any administrative privileges the victim holds.

The attacker can maintain persistent access to the victim's account until the session expires or is manually invalidated, enabling privilege escalation and unauthorized actions within the system.

Detection Guidance

This vulnerability can be detected by monitoring for session fixation attempts where a session ID is set before login and remains unchanged after authentication.

One way to detect this is to analyze HTTP requests and responses to check if the session ID (usually in cookies or URL parameters) remains the same before and after login.

You can use tools like curl or browser developer tools to inspect session cookies.

  • Use curl to capture cookies before and after login: curl -c cookies.txt -b cookies.txt http://target/login-form.php
  • Use a proxy tool like Burp Suite or OWASP ZAP to intercept and compare session IDs in requests before and after authentication.
  • Look for session IDs that do not change after login, indicating session fixation.
Mitigation Strategies

To mitigate this session fixation vulnerability, the application should regenerate the session ID after successful authentication.

Immediate steps include:

  • Modify the login script to call session_regenerate_id(true) after a user successfully logs in to prevent reuse of the old session ID.
  • Invalidate any existing session IDs upon login to ensure attackers cannot fixate a session.
  • If you cannot immediately patch the application, monitor and restrict suspicious session activity and consider implementing additional security controls such as multi-factor authentication.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11335. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart