CVE-2026-10777: ealpha072 Student-Management-System Authentication Bypass in Admin Backend
A weakness in the administrative backend of ealpha072's Student-Management-System allows attackers to bypass authentication controls and gain unauthorized access to sensitive functions. The vulnerability exists in the admin/config.php file and can be exploited remotely without requiring any special privileges or user interaction. Because exploit code is publicly available, the risk of active abuse is elevated. The project uses a rolling release model, so specific patched versions have not been publicly disclosed.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-287
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-03 / 2026-06-17
NVD description (verbatim)
A vulnerability was identified in ealpha072 Student-Management-System up to 01451bd7a2f58cdda07bd0b86e3967582e3ecd08. Affected by this issue is some unknown functionality of the file admin/config.php of the component Administrative Backend. Such manipulation leads to improper authentication. The attack may be performed from remote. The exploit is publicly available and might be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has not responded yet.
7 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10777 is an improper authentication vulnerability (CWE-287) affecting ealpha072 Student-Management-System up to commit 01451bd7a2f58cdda07bd0b86e3967582e3ecd08. The flaw resides in the admin/config.php administrative backend component and permits remote, unauthenticated attackers to manipulate an unknown function, circumventing authentication mechanisms. The CVSS v3.1 score of 7.3 (HIGH) reflects a network-accessible attack with low complexity, no privileges required, no user interaction, and impact across confidentiality, integrity, and availability. The vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L confirms ease of exploitation and measurable damage potential.
Business impact
Unauthorized administrative access to a student management system poses significant operational and compliance risks. Attackers could view or alter student records, modify grades, access personally identifiable information (PII) of minors, disrupt class scheduling, or inject malicious content. Educational institutions face potential FERPA violations, reputational damage, loss of institutional trust, and possible regulatory fines. If the system handles enrollment, billing, or financial aid data, fraud and financial loss are also concerns.
Affected systems
ealpha072 Student-Management-System is affected up to and including commit 01451bd7a2f58cdda07bd0b86e3967582e3ecd08. The project employs a rolling release model, meaning affected and patched versions are not formally versioned. Organizations running any deployment of this system should assume exposure unless they have independently verified fixes or isolations applied post-discovery.
Exploitability
The vulnerability is readily exploitable: it requires no authentication, no special user interaction, and can be triggered over the network with minimal technical sophistication. Public exploit code is available, significantly lowering the barrier to opportunistic attack. The lack of complexity (AC:L) and absence of privilege requirements (PR:N) make this a high-priority target for mass scanning and automated exploitation campaigns.
Remediation
Contact ealpha072 or monitor their repository for security updates addressing this vulnerability. Because the project uses a rolling release model without versioned patches, remediation requires either pulling the latest development branch after the vulnerability date (2026-06-03) and applying their fixes, or implementing compensating controls such as network-level access restrictions to admin/config.php, IP whitelisting, and Web Application Firewall (WAF) rules. Verify against the vendor's advisory or commit history to confirm the issue has been resolved before deploying.
Patch guidance
The ealpha072 project has not yet formally released a patched version; however, updates may be available in their rolling release branch post-2026-06-17. Monitor their repository and security advisories for commit-level fixes. Once updates are identified, test thoroughly in a non-production environment before deployment. Implement a process to regularly pull and review commits from the project to ensure security issues are addressed promptly. If waiting for a formal release, apply interim mitigations (see Remediation Summary).
Detection guidance
Look for unusual administrative backend access patterns, particularly requests to admin/config.php from unexpected source IPs or at off-hours. Monitor for failed authentication attempts followed by successful admin access without corresponding login records. Web application firewalls and intrusion detection systems should flag attempts to manipulate the admin/config.php endpoint. Log all administrative changes and cross-reference them with authorized personnel. Conduct file integrity monitoring on admin/config.php to detect unauthorized modifications.
Why prioritize this
This vulnerability merits immediate attention due to its high CVSS score (7.3), public exploit availability, network accessibility, and lack of authentication barriers. The educational context—access to student records and PII—elevates legal and compliance stakes. Rapid, widespread exploitation is probable given the low technical bar and public PoC code.
Risk score, explained
The CVSS v3.1 score of 7.3 (HIGH) reflects: (1) network-based attack vector with no special access required, (2) minimal attacker effort, (3) impact on all three security pillars (confidentiality, integrity, availability), and (4) lack of scope changes. While not critical (8.0+), the combination of trivial exploitation, public tooling, and high-value target (student data) justifies treatment as a critical business risk and deployment priority.
Frequently asked questions
What is the actual functionality of admin/config.php that is vulnerable?
The vulnerability description references 'some unknown functionality' in admin/config.php. The precise code path or feature affected has not been publicly detailed. Organizations should examine the admin/config.php file for authentication checks and consult ealpha072's security disclosure or commit logs for specifics.
Does rolling release mean I cannot track which version I'm running?
Yes. ealpha072 uses continuous delivery without formal version numbers. You will need to track commits or branch identifiers. Note the vulnerable-through commit (01451bd7a2f58cdda07bd0b86e3967582e3ecd08) and verify your deployment against it. Check the project's commit history or security advisories to identify when the fix was merged.
Is this vulnerability currently being actively exploited in the wild?
The vulnerability was published on 2026-06-03, and public exploit code is available. While KEV (Known Exploited Vulnerability) status is not yet assigned, public PoC availability strongly suggests active or near-term exploitation risk. Assume active scanning and exploitation attempts are underway.
Can I mitigate this without waiting for a patch?
Yes. Implement network-level access controls restricting admin/config.php to trusted IP ranges, deploy WAF rules to block suspicious admin requests, enable comprehensive audit logging, and monitor for authentication bypasses. However, these are temporary measures; obtaining and deploying the actual fix is essential.
This analysis is based on disclosed vulnerability information as of 2026-06-17. ealpha072 has not yet responded to the reported issue or released an official patch; refer to their repository and security advisories for the latest status. No exploit code, weaponized proof-of-concept, or vulnerability-triggering steps are provided herein. Organizations should conduct independent security testing and validate all mitigations in non-production environments. Patch version numbers and specific affected software variants should be verified against ealpha072's official advisory before deployment. SEC.co does not warrant completeness or accuracy of remediation timelines and recommends consultation with your vendor and security team. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-10157HIGHOpen5GS NGAP Authentication Bypass Vulnerability – 5G Core Network Risk
- CVE-2026-10167HIGHAuthentication Bypass in BrinaryBrains School Management System
- CVE-2026-10243HIGHSmart Parking System 1.0 Authentication Bypass – Remote Admin Access
- CVE-2026-10281HIGHEnderfga claw-orchestrator Authentication Bypass – Patch Available
- CVE-2026-10288HIGHHotel Reservation System Admin Authentication Bypass
- CVE-2026-10617HIGHGoClaw Webhook Authentication Bypass – Remote Exploitation
- CVE-2026-10619HIGHsayan365 Student-Management-System Remote Authentication Bypass
- CVE-2026-40964HIGHCloud Foundry Authentication Bypass Exposes All Logs and Metrics