PatchSiren cyber security CVE debrief
CVE-2026-11474 Kushan2k CVE debrief
A security flaw has been discovered in Kushan2k student-management-system up to f16a4ceaddd6729c4b306ed4641cda3176c1ef2a. The vulnerability affects an unknown function of the file service/RegisterService.php of the component Registration Endpoint. Performing a manipulation of the argument stimg results in unrestricted upload. The attack may be initiated remotely.
- Vendor
- Kushan2k
- Product
- student-management-system
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-08
- Original CVE updated
- 2026-06-08
- Advisory published
- 2026-06-08
- Advisory updated
- 2026-06-08
Who should care
Users of Kushan2k student-management-system up to f16a4ceaddd6729c4b306ed4641cda3176c1ef2a should be aware of this MEDIUM severity vulnerability.
Technical summary
The vulnerability has a CVSS score of 5.5 and is classified as CWE-284 and CWE-434. The exploit has been released to the public and may be used for attacks.
Defensive priority
MEDIUM
Recommended defensive actions
- Apply updates as they become available, as the project uses a rolling release model to deliver continuous updates.
- Monitor the project for an official response and patch.
Evidence notes
The project was informed of the problem early through an issue report but has not responded yet.
Official resources
CVE-2026-11474 was published on 2026-06-08T01:16:23.073Z and modified on 2026-06-08T14:57:14.757Z.