CVE-2026-11474
Deferred Deferred - Pending Action
Unrestricted File Upload in Kushan2k Student-Management-System

Publication date: 2026-06-08

Last updated on: 2026-06-08

Assigner: VulDB

Description
A security flaw has been discovered in Kushan2k student-management-system up to f16a4ceaddd6729c4b306ed4641cda3176c1ef2a. Affected is an unknown function of the file service/RegisterService.php of the component Registration Endpoint. Performing a manipulation of the argument stimg results in unrestricted upload. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-08
Last Modified
2026-06-08
Generated
2026-06-08
AI Q&A
2026-06-08
EPSS Evaluated
N/A
NVD
CVE-2026-11474
EUVD
EUVD-2026-35005
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
kushan2k student-management-system to f16a4ceaddd6729c4b306ed4641cda3176c1ef2a (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-11474 is an unrestricted file upload vulnerability in the Kushan2k student-management-system, specifically in the RegisterService.php file of the Registration Endpoint. The flaw allows an attacker to manipulate the 'stimg' argument during the student registration process to upload files without proper validation.

The system only checks the file size before saving the uploaded file to a web-accessible directory but does not validate the file extension, MIME type, or content. This allows an attacker to upload malicious files such as PHP web shells.

Because the uploaded file is saved with a predictable name, an attacker can directly access and execute the uploaded malicious code remotely without authentication.

Compliance Impact

The vulnerability allows unrestricted file upload leading to remote code execution and potential full server compromise.

Such a compromise can result in unauthorized access to sensitive personal data managed by the student management system.

This exposure and potential data breach could violate data protection regulations such as GDPR and HIPAA, which require safeguarding personal and health information against unauthorized access.

Therefore, the vulnerability negatively impacts compliance with these common standards by increasing the risk of data breaches and unauthorized data disclosure.

Impact Analysis

This vulnerability can have severe impacts including full server compromise. An attacker can upload and execute arbitrary code on the server, leading to remote code execution (RCE).

Successful exploitation can result in persistent backdoor access, allowing attackers to maintain control over the system.

It can also lead to data breaches, exposing sensitive student and system information.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious file uploads to the Registration Endpoint, specifically targeting the service/RegisterService.php file where the argument stimg is manipulated for unrestricted upload.

You can detect exploitation attempts by checking for unexpected PHP files or other executable files in the web-accessible directory public/profiles/ that should normally only contain image files.

Suggested commands include:

  • On the web server, list files in the upload directory to find suspicious files: ls -l /path/to/public/profiles/
  • Search for recently uploaded PHP files: find /path/to/public/profiles/ -name '*.php' -mtime -7
  • Check web server logs for POST requests to the registration endpoint that include file uploads: grep 'POST /service/RegisterService.php' /var/log/apache2/access.log
  • Use network monitoring tools to detect unusual HTTP requests that upload files or access newly uploaded files with suspicious names.
Mitigation Strategies

Immediate mitigation steps include implementing strict validation on file uploads in the RegisterService.php component.

  • Validate file extensions and MIME types to allow only legitimate image formats (e.g., jpg, png, gif).
  • Implement server-side checks to verify the actual content of the uploaded files to prevent disguised executable files.
  • Rename uploaded files to non-predictable names and store them outside the web root or in directories that do not allow execution.
  • Restrict permissions on the upload directory to prevent execution of uploaded files.
  • Monitor and audit file uploads and web server logs for suspicious activity.

Since the project uses a rolling release model and has not yet responded, consider applying custom patches or disabling the vulnerable upload functionality until a fix is released.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11474. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart