CVE-2026-11532: Improper Access Control in imvks786 Student Management System
A security flaw has been discovered in imvks786's student management system that weakens access controls on student records. An authenticated user with basic access can manipulate requests to the Student Record Handler component (/add.php) to gain unauthorized permissions or modify data they shouldn't be able to touch. The vulnerability requires login credentials but can be exploited remotely. Public disclosure of exploitation techniques has already occurred, increasing near-term risk.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-266, CWE-284
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-08 / 2026-06-17
NVD description (verbatim)
A weakness has been identified in imvks786 student_management_system up to 9599b560ad3c3b83e75d328b76bedcd489ef1f46. Affected is an unknown function of the file /add.php of the component Student Record Handler. Executing a manipulation can lead to improper access controls. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has not responded yet.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11532 is an improper access control vulnerability (CWE-266, CWE-284) affecting imvks786 student_management_system. The flaw resides in an unnamed function within the /add.php file of the Student Record Handler component. The affected commit is 9599b560ad3c3b83e75d328b76bedcd489ef1f46. The vulnerability permits authenticated attackers to bypass authorization checks through request manipulation, potentially allowing unauthorized disclosure, modification, or limited disruption of student records. The product uses a rolling release model without discrete version numbering, complicating patch tracking. CVSS 3.1 score is 6.3 (MEDIUM: AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
Business impact
Educational institutions and administrative systems using this student management platform face direct risk to sensitive personal data (names, contact information, academic records, enrollment status). Unauthorized modification of student records can result in academic transcript fraud, enrollment status manipulation, or data theft. Regulatory compliance implications exist under FERPA (Family Educational Rights and Privacy Act) in the US and similar data protection laws globally. Reputational damage and potential legal liability follow any unauthorized access to student data.
Affected systems
imvks786 student_management_system is affected up to and including commit 9599b560ad3c3b83e75d328b76bedcd489ef1f46. The product employs a rolling release delivery model without traditional version numbers, meaning patch status cannot be determined from version strings alone. Organizations must contact the vendor or monitor the project repository directly to confirm whether their deployment includes the fixed code.
Exploitability
Exploitation is remote but requires valid authentication credentials. An attacker must already possess login access to the system—either through credential compromise, insider threat, or legitimate user account abuse. The barrier to exploitation is relatively low once authenticated; the vulnerability does not require special user interaction or complex technical steps. Public availability of exploit techniques further lowers the barrier. Active exploitation in the wild is possible but not confirmed as widespread at this time.
Remediation
Immediate action should focus on identifying which commit your deployment is based on and confirming whether fixes have been merged upstream. Review the imvks786 student_management_system repository for security patches or contact the vendor for guidance given the rolling release model. In parallel, implement compensating controls: restrict network access to /add.php, enforce strong authentication policies, audit access logs for suspicious student record modifications, and consider temporary disabling of bulk record modification features if feasible. Validate all student record changes against source documentation.
Patch guidance
Because this product uses continuous rolling releases without discrete version numbers, traditional patch version guidance does not apply. Check the project repository's commit history and security advisories to identify whether your current deployment includes the fix. The vulnerable commit is 9599b560ad3c3b83e75d328b76bedcd489ef1f46; confirm your installation is on a more recent commit. Subscribe to the project's security notifications or issue tracker for updates. If the vendor has not released a fix within 30 days of disclosure, escalate to leadership and consider alternative products or aggressive compensating controls.
Detection guidance
Monitor HTTP access logs for POST/GET requests to /add.php with unusual parameter patterns or repeated access from the same authenticated user. Alert on rapid successive modifications to student records, particularly when the modifier's role does not typically perform bulk edits. Implement audit logging for all student record changes, capturing the authenticated user, timestamp, fields modified, old and new values, and source IP. Search for exploit payloads in web application firewalls (WAF) logs; public exploit code may reveal signature patterns. Review access control lists and permission assignments for student_management_system accounts to identify overprivileged users or accounts that should not have modification rights.
Why prioritize this
This vulnerability merits urgent review despite a MEDIUM CVSS score because it directly threatens sensitive personally identifiable information (PII) in an education context, exploitation is already public, and the vendor has not yet confirmed a fix. The combination of data sensitivity, authenticated-but-easy exploitation, and public disclosure elevates operational risk. However, the requirement for valid credentials prevents this from being a critical, unauthenticated remote code execution scenario.
Risk score, explained
CVSS 3.1 score of 6.3 reflects a remote, low-complexity attack requiring low privilege (authenticated user) with no user interaction, affecting confidentiality, integrity, and availability equally (L/L/L impact). The scope is unchanged. This score correctly captures the moderate threat posed by authenticated access control bypass—more severe than a low-impact information leak, but less critical than privilege escalation or code execution. The public availability of exploitation techniques and lack of vendor response should elevate this in your organization's risk model beyond the base CVSS score.
Frequently asked questions
Do I need to patch immediately, or can I wait?
Given public exploit availability and lack of vendor response, you should not wait. Begin patching or deploy compensating controls within 48 hours. If you cannot patch (rolling release complicates this), implement strict network segmentation, restrict /add.php access, and intensify audit logging immediately.
How do I know if my version is patched when there are no version numbers?
Review your deployment's Git commit hash and cross-reference it against the project's public repository. The vulnerable commit is 9599b560ad3c3b83e75d328b76bedcd489ef1f46. If your commit is after any security fix merge, you may be safe—but verify by checking the project's security advisories or changelog. When in doubt, contact your vendor or the project maintainer directly.
What data is actually at risk?
Student records in the system are at risk, including personally identifiable information, academic transcripts, enrollment status, contact details, and any custom fields stored in the database. An attacker with the access control bypass can read, modify, or in some cases delete records depending on the underlying database permissions.
Is this in the KEV catalog?
No, this vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, though public exploit code exists. KEV listing would trigger federal contractor reporting obligations. Monitor CISA's KEV list for any addition of this CVE.
This analysis is provided for informational purposes. Organizations should validate all remediation steps and patch information against official vendor advisories and their own testing environments. Because this product uses a rolling release model, version and patch availability may differ from traditional software. The public exploit code may vary in scope and may not represent all possible attack vectors. This analysis does not constitute legal or compliance advice; consult your legal and compliance teams regarding FERPA and other regulatory obligations. CVSS scores represent base severity under standard conditions and should be contextualized within your organization's risk model and asset sensitivity. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10152MEDIUMImproper Access Control in TaleLin lin-cms-spring-boot Book Endpoint
- CVE-2026-10255MEDIUMPharmacy Sales System Authentication Bypass – SourceCodester 1.0
- CVE-2026-10277MEDIUMImproper Access Control in MCP Google Workspace Gmail Tool
- CVE-2026-11466MEDIUMZilliz deep-searcher Access Control Bypass – CVSS 5.4
- CVE-2024-27891MEDIUMArista EOS MACsec + Egress ACL Policy Enforcement Failure
- CVE-2026-10070MEDIUMmacrozheng mall Admin Authorization Bypass in /admin/update/
- CVE-2026-10172MEDIUMBdtask Multi-Store Inventory 1.0 Unrestricted File Upload Vulnerability
- CVE-2026-10205MEDIUMUnrestricted File Upload in Metasoft MetaCRM 6.4.0 – Exploit Details & Remediation