Executive Summary

CVE-2026-11476 is a critical security vulnerability in the Kushan2k student-management-system affecting the edit-admin function in the AdminController.php file. The vulnerability arises because the system fails to verify administrator session status, allowing unauthenticated users to send POST requests to update admin profiles. Additionally, the system constructs SQL queries by directly concatenating user input, leading to SQL injection risks.

An attacker can exploit this vulnerability to modify any administrator's email or password without authentication, potentially taking over admin accounts or locking out legitimate admins. They can also execute arbitrary SQL commands to read or modify other database data.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to a complete compromise of administrative privileges within the student-management-system. An attacker can take over admin accounts by changing emails and passwords, resulting in unauthorized access.

It also allows attackers to execute arbitrary SQL commands, which can lead to data breaches, unauthorized data modification, and loss of data integrity, confidentiality, and availability.

Overall, the impact includes full application takeover, data breaches, and disruption of normal system operations.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for unauthenticated POST requests to the admin profile update endpoint, specifically targeting the edit-admin function in AdminController.php. A successful exploit typically results in a 302 redirect response after sending such a request.

To detect exploitation attempts, you can look for POST requests to the endpoint that modify administrator profiles without proper authentication.

Example command using curl to test if the endpoint is vulnerable by attempting to update an admin email without authentication:

• curl -X POST -d "isadmin=1&[email protected]" https://your-target-domain.com/path-to-edit-admin-endpoint -v

Additionally, monitoring web server logs for unusual POST requests to the edit-admin endpoint or unexpected 302 redirects after such requests can help detect exploitation.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the edit-admin endpoint to authenticated and authorized administrators only.

Ensure proper authorization checks are implemented in the edit-admin function to verify administrator session status before processing any profile updates.

Sanitize and parameterize all SQL queries to prevent SQL injection, especially in functions like getAdmin(), updateAdminEmail(), and updateAdminPassword().

Monitor and block unauthenticated POST requests attempting to access the admin profile update endpoint.

If possible, apply patches or updates once the project responds or releases a fix.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in the Kushan2k student-management-system allows unauthenticated attackers to bypass authorization controls and perform administrative profile updates, including modifying administrator emails and passwords via SQL injection. This leads to a complete compromise of administrative privileges, potential full application takeover, and unauthorized access to sensitive data.

Such unauthorized access and data manipulation can result in breaches of confidentiality, integrity, and availability of personal and sensitive information managed by the system.

Consequently, this vulnerability could lead to non-compliance with common data protection standards and regulations like GDPR and HIPAA, which require strict access controls, data integrity, and protection against unauthorized data access or modification.

Useful 0 Not Useful 0