CVE-2026-10272 a4m4 CVE debrief

Who should care

Organizations running a4m4 Student-Management-System instances, particularly those exposing administrative interfaces to broader networks. Security teams monitoring PHP-based student management applications and developers maintaining forked or customized versions of this project.

Technical summary

The vulnerability exists in admin/deleteform.php where manipulation of the sid parameter leads to improper authorization. The application fails to properly verify that the requesting user has sufficient privileges before executing deletion operations. As a rolling release project, specific patched version numbers are not available. The attack vector is network-based with low attack complexity, requiring no privileges or user interaction. The vulnerability has confidentiality impact none, integrity impact low, and availability impact low per the CVSS 4.0 scoring.

Defensive priority

medium

Recommended defensive actions

• Restrict access to admin/deleteform.php to authorized administrative users only
• Implement proper authorization checks on the sid parameter before processing deletion requests
• Apply input validation and session verification for all administrative functions
• Monitor for unauthorized access attempts to admin/deleteform.php
• Consider implementing multi-factor authentication for administrative interfaces
• Review and audit other administrative endpoints for similar authorization weaknesses

Evidence notes

The vulnerability is documented in the NVD record with Vuldb as the CNA. The affected file is admin/deleteform.php with the sid parameter as the attack vector. CVSS 4.0 vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. CWE-266 (Incorrect Privilege Assignment) and CWE-285 (Improper Authorization) are identified.

Official resources