MEDIUM 6.3

CVE-2026-11475: SQL Injection in Kushan2k Student Management Certificate Verification

A SQL injection vulnerability has been discovered in Kushan2k's student-management-system affecting the Certificate Verification Endpoint. An attacker with login credentials can manipulate the 'nic' parameter in the getStatus function to inject malicious SQL commands, potentially reading, modifying, or deleting database records. The vulnerability is rated MEDIUM severity and exploits have been publicly disclosed, creating immediate risk for deployed instances.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-74, CWE-89
Affected products
0 configuration(s)
Published / Modified
2026-06-08 / 2026-06-17

NVD description (verbatim)

A weakness has been identified in Kushan2k student-management-system up to f16a4ceaddd6729c4b306ed4641cda3176c1ef2a. Affected by this vulnerability is the function getStatus of the file controllers/GradeController.php of the component Certificate Verification Endpoint. Executing a manipulation of the argument nic can lead to sql injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The project was informed of the problem early through an issue report but has not responded yet.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in controllers/GradeController.php within the getStatus function of the Certificate Verification Endpoint. The 'nic' parameter is not properly sanitized before being used in SQL queries, allowing authenticated users to execute arbitrary SQL through CWE-89 (SQL Injection) via CWE-74 (Improper Neutralization of Special Elements in Output). The affected commit hash is f16a4ceaddd6729c4b306ed4641cda3176c1ef2a. The project operates on a rolling release model without discrete version numbers, complicating patch tracking.

Business impact

Organizations running this student management system face confidentiality, integrity, and availability risks. Attackers with valid credentials can extract sensitive student data (grades, personal identifiers, certificates), modify academic records, or degrade system availability. Educational institutions relying on this for certificate issuance face operational disruption and potential reputational damage from data breaches or fraudulent certificate generation.

Affected systems

Kushan2k student-management-system up to commit f16a4ceaddd6729c4b306ed4641cda3176c1ef2a is affected. The rolling-release development model means no discrete version numbering is used. Any deployment incorporating the vulnerable commit or earlier is at risk. Organizations should review their current deployment state against the repository commit history.

Exploitability

Exploitation is straightforward and requires only valid user credentials and network access to the Certificate Verification Endpoint. The attack is remotely exploitable with no special user interaction required (CVSS vector: AV:N/AC:L/PR:L/UI:N). Public exploit code is available, lowering the barrier to weaponization. Insider threats, compromised accounts, or lateral movement within an organization could enable this attack.

Remediation

The project has not yet released a formal patch despite early notification. Organizations should immediately review the Kushan2k repository for commits after f16a4ceaddd6729c4b306ed4641cda3176c1ef2a that address SQL injection in GradeController.php. Input validation and parameterized queries must replace string concatenation for all database operations. As a temporary control, restrict access to the Certificate Verification Endpoint to trusted networks and monitor for suspicious SQL patterns in logs.

Patch guidance

Because this project uses rolling releases without version numbers, patching requires monitoring the upstream repository. Check the Kushan2k GitHub repository for commits addressing SQL injection in controllers/GradeController.php after the vulnerable commit. Apply any available fixes and test thoroughly in a staging environment before production deployment. If no upstream patch is available, implement the fix locally by using parameterized queries (prepared statements) for all nic parameter handling, ensuring proper input validation and output encoding.

Detection guidance

Monitor application logs for SQL syntax errors or unusual query patterns in certificate verification requests. Look for requests to the getStatus endpoint containing SQL metacharacters (quotes, semicolons, UNION keywords) in the nic parameter. Implement Web Application Firewall (WAF) rules to block common SQL injection patterns. Database query logging can reveal malicious SQL attempts. Search for evidence of unauthorized data extraction or modification in academic records, particularly in grade or certificate tables. Check for failed and successful authentication attempts preceding suspicious queries.

Why prioritize this

This vulnerability merits prompt attention due to the combination of public exploit availability, authenticated-but-easy exploitation, and sensitive data exposure risk in an educational context. The MEDIUM CVSS score (6.3) may understate business impact given the nature of academic records and certificate fraud potential. The lack of a vendor response despite notification increases urgency for defensive action on your infrastructure.

Risk score, explained

CVSS 6.3 reflects remote network exploitability (AV:N), low attack complexity (AC:L), authenticated access requirement (PR:L), and impact to confidentiality, integrity, and availability of one impacted security property (C:L/I:L/A:L). The score does not weight the reputational risk of certificate fraud or the availability of public exploits. Organizations should layer this metric with business context: certificate system compromise may warrant elevated internal risk ratings.

Frequently asked questions

Does this vulnerability affect all users or only administrators?

No. The vulnerability requires valid login credentials (PR:L in CVSS), but does not require administrative privileges. Any authenticated user of the student management system can attempt exploitation, making insider threats and compromised low-privilege accounts viable attack vectors.

How can I determine if my deployment is vulnerable?

Review your current checkout or deployment against the Kushan2k repository. If you are running code at or before commit f16a4ceaddd6729c4b306ed4641cda3176c1ef2a, you are affected. Additionally, audit controllers/GradeController.php to confirm whether SQL queries using the nic parameter employ parameterized queries; if they use string concatenation, the system is vulnerable.

What should I do if the upstream project has not yet patched?

Implement input validation and parameterized queries (prepared statements) in your local codebase to neutralize the SQL injection. Restrict access to the Certificate Verification Endpoint through network controls and authentication policies. Enable detailed logging and WAF rules to detect exploitation attempts. Consider running a code review of all database interactions for similar flaws.

Is this in the CISA Known Exploited Vulnerabilities (KEV) catalog?

No, this vulnerability is not currently listed in the CISA KEV catalog, though public exploits are available. CISA inclusion is separate from public exploit availability; monitor for KEV addition as a signal of increased threat activity.

This analysis is based on the CVE record published 2026-06-08 and modified 2026-06-17. Verify all patch versions, affected product details, and remediation steps against the official Kushan2k repository and vendor advisories before implementing changes. SEC.co makes no warranty regarding the completeness or accuracy of remediation guidance; consult your security team and the vendor for definitive patching instructions. This vulnerability analysis does not constitute legal or compliance advice. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).