CVE-2026-11533
Received Received - Intake
Improper Authorization in imvks786 Student Management System

Publication date: 2026-06-08

Last updated on: 2026-06-08

Assigner: VulDB

Description
A security vulnerability has been detected in imvks786 student_management_system up to 9599b560ad3c3b83e75d328b76bedcd489ef1f46. Affected by this vulnerability is an unknown functionality of the file /see.php of the component Student Deletion Endpoint. The manipulation of the argument del leads to improper authorization. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-08
Last Modified
2026-06-08
Generated
2026-06-09
AI Q&A
2026-06-08
EPSS Evaluated
N/A
NVD
CVE-2026-11533
EUVD
EUVD-2026-35130
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
imvks786 student_management_system to 9599b560ad3c3b83e75d328b76bedcd489ef1f46 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the student management system's file see.php, specifically in the Student Deletion Endpoint. It allows a user with only VIEW permissions to delete student records without proper authorization. The deletion query executes before verifying the user's permission level, so the permission check only shows a warning but does not stop the deletion. An attacker can exploit this by sending a crafted GET request with the del parameter to delete any student record remotely.

Impact Analysis

This vulnerability can lead to unauthorized deletion of student records by users who should only have viewing rights. This can result in data loss, disruption of system operations, and potential damage to the integrity of the student management system. Since the exploit can be initiated remotely, attackers do not need physical access to the system to cause harm.

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized deletion attempts via crafted GET requests to the /see.php endpoint with the del parameter.

Specifically, an attacker with only VIEW permissions can delete student records by sending a request like: /see.php?submit=submit&del=<student_id>.

To detect exploitation attempts, you can search your web server logs for GET requests to /see.php containing the del parameter.

  • Example command to search Apache logs for suspicious requests: grep "/see.php" /var/log/apache2/access.log | grep "del="
  • Example command to monitor live traffic for such requests using tcpdump: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep "/see.php?"
Mitigation Strategies

Immediate mitigation steps include restricting access to the /see.php endpoint and disabling the deletion functionality until a proper authorization check is implemented.

Ensure that server-side authorization checks occur before any deletion queries are executed to prevent unauthorized users from deleting records.

As a temporary measure, monitor and block suspicious requests that include the del parameter in /see.php.

If possible, restrict the user accounts with VIEW permissions from accessing the deletion functionality or limit their session privileges.

Compliance Impact

This vulnerability allows a user with only VIEW permissions to delete student records due to missing server-side authorization in the student management system. Such unauthorized deletion of records can lead to improper handling of sensitive personal data.

Improper authorization and unauthorized data deletion can violate data protection requirements under regulations like GDPR and HIPAA, which mandate strict controls over access to and modification of personal and sensitive information.

Therefore, this vulnerability could negatively impact compliance with these standards by enabling unauthorized data manipulation, potentially leading to data integrity issues and regulatory non-compliance.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11533. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart