CVE-2026-11475
Deferred Deferred - Pending Action
SQL Injection in student-management-system via GradeController

Publication date: 2026-06-08

Last updated on: 2026-06-08

Assigner: VulDB

Description
A weakness has been identified in Kushan2k student-management-system up to f16a4ceaddd6729c4b306ed4641cda3176c1ef2a. Affected by this vulnerability is the function getStatus of the file controllers/GradeController.php of the component Certificate Verification Endpoint. Executing a manipulation of the argument nic can lead to sql injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-08
Last Modified
2026-06-08
Generated
2026-06-08
AI Q&A
2026-06-08
EPSS Evaluated
N/A
NVD
CVE-2026-11475
EUVD
EUVD-2026-35006
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
kushan2k student_management_system to f16a4ceaddd6729c4b306ed4641cda3176c1ef2a (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability CVE-2026-11475 is a SQL injection flaw in the Kushan2k student-management-system, specifically in the getStatus function of the GradeController.php file. It occurs because user input (the nic argument) is directly embedded into an SQL query without proper sanitization or parameterization.

An attacker can exploit this by sending a crafted POST request with malicious SQL code, such as '0 OR 1=1 --', which bypasses certificate verification and returns the first student ID in the database.

This allows the attacker to manipulate the session and impersonate another student, gaining unauthorized access to sensitive information like personal details, email, NIC, address, enrolled courses, and grades.

Impact Analysis

This vulnerability can lead to privilege escalation and confidentiality breaches by allowing an attacker to impersonate other students.

  • Unauthorized access to sensitive personal information such as email, NIC, address, enrolled courses, and grades.
  • Potential account takeover through session manipulation.
  • Widespread data exposure due to the ability to bypass certificate verification.
Detection Guidance

This vulnerability can be detected by monitoring for suspicious SQL injection attempts targeting the getStatus function in controllers/GradeController.php, specifically manipulation of the nic parameter.

One way to detect exploitation attempts is to look for unusual POST requests containing SQL injection payloads such as '0 OR 1=1 --' sent to GradeController.php.

Example commands to detect such attempts include using network traffic inspection tools or web server logs to search for suspicious input patterns.

  • Using grep on web server logs to find suspicious POST requests: grep -i "nic=.*OR 1=1" /var/log/apache2/access.log
  • Using curl to test the vulnerability by sending a crafted POST request: curl -X POST -d "nic=0 OR 1=1 --" http://targetserver/path/to/GradeController.php
  • Monitoring session anomalies after such requests, as attackers may impersonate other users by exploiting this flaw.
Mitigation Strategies

Immediate mitigation steps include sanitizing and parameterizing all user inputs, especially the nic parameter in the getStatus function of GradeController.php.

Since the vulnerability is due to SQL injection, applying prepared statements or using ORM methods that avoid direct embedding of user input into SQL queries is critical.

Additionally, monitoring and blocking suspicious requests that attempt SQL injection payloads can reduce exploitation risk.

If possible, restrict access to the vulnerable endpoint and apply web application firewall (WAF) rules to detect and block SQL injection attempts.

Finally, keep the system updated and watch for any patches or responses from the project maintainers.

Compliance Impact

The SQL injection vulnerability in the Kushan2k student-management-system allows attackers to bypass certificate verification and impersonate students, gaining unauthorized access to sensitive personal information such as NIC, email, address, enrolled courses, and grades.

This unauthorized access and potential data exposure can lead to breaches of confidentiality and privacy, which are critical concerns under regulations like GDPR and HIPAA that mandate protection of personal and sensitive data.

Therefore, exploitation of this vulnerability could result in non-compliance with these standards due to inadequate protection of personal data and failure to prevent unauthorized access.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11475. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart