CVE-2026-11533: Improper Authorization in Student Management System Deletion Endpoint
A vulnerability in the imvks786 student_management_system allows an authenticated user to bypass authorization controls on the student deletion function. By manipulating a parameter called 'del' in the /see.php endpoint, an attacker with login credentials can perform unauthorized deletions of student records. The vulnerability requires valid authentication but does not need special privileges, meaning any logged-in user—including those with limited access—could exploit it. Public disclosure has occurred, increasing the likelihood of active exploitation.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
- Weaknesses (CWE)
- CWE-266, CWE-285
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-08 / 2026-06-17
NVD description (verbatim)
A security vulnerability has been detected in imvks786 student_management_system up to 9599b560ad3c3b83e75d328b76bedcd489ef1f46. Affected by this vulnerability is an unknown functionality of the file /see.php of the component Student Deletion Endpoint. The manipulation of the argument del leads to improper authorization. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11533 is an improper authorization flaw (CWE-266, CWE-285) in the student_management_system's Student Deletion Endpoint (/see.php). The vulnerability stems from insufficient access control on the 'del' parameter, allowing authenticated attackers to delete records they should not have permission to modify. The attack vector is network-based and requires valid credentials (PR:L), but no elevated privileges or user interaction. The system uses continuous rolling releases without traditional version numbering, making patch status tracking difficult.
Business impact
Unauthorized student record deletion can disrupt academic operations, compromise data integrity, and create compliance issues under education data protection regulations. Administrative staff relying on accurate student databases may experience service disruption and require manual recovery efforts. The cumulative effect of multiple deletions could cause significant institutional harm, particularly if records are permanently lost or only recoverable through backups.
Affected systems
imvks786 student_management_system up to commit 9599b560ad3c3b83e75d328b76bedcd489ef1f46 is confirmed vulnerable. Because this project uses a rolling release model without discrete version tags, organizations must identify their deployment by commit hash or deployment date (published 2026-06-08, modified 2026-06-17) to determine exposure. Any installation of the system from before the patch commit should be considered at risk.
Exploitability
Exploitability is moderate. The attack requires valid authentication—an attacker must have user account credentials—but does not require administrative privileges or social engineering. The CVSS score of 5.4 reflects this: the 'L' in PR:L indicates low privilege requirement, and AC:L means attack complexity is low once inside. Public disclosure has occurred and working exploits are available, making this a realistic near-term risk for internet-facing or internally-exposed instances. However, the requirement for valid credentials limits exposure to insider threats or compromised accounts.
Remediation
Apply the patch from commit 9599b560ad3c3b83e75d328b76bedcd489ef1f46 or later. Since the project uses rolling releases, verify your current deployment commit hash against the vendor's latest main branch. The vendor was notified early but has not yet publicly confirmed a fix, so monitor the project repository for updates. As an interim control, restrict API access to the /see.php endpoint using network segmentation, limit user account creation to trusted staff, and enforce password policies to reduce the likelihood of compromised credentials.
Patch guidance
Update to a commit after 9599b560ad3c3b83e75d328b76bedcd489ef1f46. Given the rolling release model, pull the latest version from the vendor's primary development branch and test thoroughly in a staging environment before production deployment. Verify that authorization checks on the 'del' parameter enforce proper ownership and role validation (e.g., only admins or the creating user can delete). If the vendor has not yet released a fix, consider backporting the authorization logic yourself or implementing a Web Application Firewall (WAF) rule to block suspicious 'del' parameter manipulation until a patch is available.
Detection guidance
Monitor logs for DELETE or modification operations on the /see.php endpoint, especially from non-administrative accounts. Look for repeated 'del' parameter requests with IDs that do not belong to the requesting user. Implement database audit trails on the student records table to detect mass deletions. Network-based detection should flag unusual patterns of student record deletion requests originating from single user accounts or sessions. Application instrumentation can help log authorization failures when the 'del' parameter is used improperly.
Why prioritize this
Although the CVSS score is medium (5.4), prioritize this vulnerability for remediation because: (1) it affects data integrity in a mission-critical system; (2) public exploits exist; (3) only user authentication is required, making it exploitable by insiders or via credential compromise; and (4) the vendor has not yet responded, indicating ongoing unfixed exposure. Educational institutions should treat this as high priority due to regulatory obligations around student data protection.
Risk score, explained
The CVSS v3.1 score of 5.4 (MEDIUM) reflects a network-accessible vulnerability that requires valid credentials (PR:L) but causes integrity and availability impact through unauthorized deletion (I:L, A:L). No confidentiality impact (C:N) is scored because deletion does not expose data, only removes it. The attack has low complexity (AC:L) once authenticated. The medium severity is appropriate but should not mask the business and compliance impact of data loss in an educational context.
Frequently asked questions
Do I need administrator privileges to exploit this vulnerability?
No. The vulnerability requires only a valid user login—any authenticated user can attempt the exploit. This makes it particularly risky if user credentials are compromised or if disgruntled staff with basic access want to cause harm.
Is there a temporary workaround if patching is delayed?
Yes. Implement network controls to restrict access to the /see.php endpoint, enforce strong password policies, monitor deletion logs, and maintain regular backups. A WAF rule to validate and sanitize the 'del' parameter can provide short-term protection, but a code-level patch is essential.
How do I know which version of the system I am running if the vendor uses rolling releases?
Check the git commit hash of your deployment and compare it against the vulnerable commit (9599b560ad3c3b83e75d328b76bedcd489ef1f46). If your commit is older, you are vulnerable. Consult the vendor's repository for the latest commit in their main branch.
What should I look for in logs to detect exploitation attempts?
Search for DELETE or student record modification operations in the /see.php endpoint logs, especially those initiated by non-administrative users or targeting student IDs that do not match the requester's own records. Unusual spikes in deletion activity or access from unexpected user accounts are red flags.
This analysis is based on publicly disclosed information available as of 2026-06-17. The vendor has not yet confirmed a fix. Organizations should verify patch status against the official project repository and test thoroughly before deployment. Rolling release projects may lack clear version history; use commit hashes to track vulnerability status. This explainer does not constitute formal security advice and should be supplemented with organization-specific risk assessment and vendor guidance. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10070MEDIUMmacrozheng mall Admin Authorization Bypass in /admin/update/
- CVE-2026-10215MEDIUMDolibarr Leave Request API Authorization Bypass
- CVE-2026-10218MEDIUMGoClaw Improper Authorization Vulnerability (CVSS 5.4)
- CVE-2026-10269MEDIUMHost Header Authorization Bypass in Decolua 9router
- CVE-2026-10272MEDIUMStudent-Management-System Authorization Bypass in Admin Panel
- CVE-2026-10282MEDIUMBottelet DaybydayCRM Authorization Bypass in DocumentsController
- CVE-2026-10284MEDIUMImproper Authorization in DevaslanPHP Project-Management Comment Functions
- CVE-2026-10285MEDIUMDevaslanPHP Improper Authorization in Ticket Handler