PatchSiren cyber security CVE debrief
CVE-2026-11475 Kushan2k CVE debrief
A weakness has been identified in Kushan2k student-management-system up to f16a4ceaddd6729c4b306ed4641cda3176c1ef2a. Affected by this vulnerability is the function getStatus of the file controllers/GradeController.php of the component Certificate Verification Endpoint. Executing a manipulation of the argument nic can lead to sql injection. The attack may be launched remotely.
- Vendor
- Kushan2k
- Product
- student-management-system
- CVSS
- LOW 2.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-08
- Original CVE updated
- 2026-06-08
- Advisory published
- 2026-06-08
- Advisory updated
- 2026-06-08
Who should care
Users of Kushan2k student-management-system up to f16a4ceaddd6729c4b306ed4641cda3176c1ef2a should be aware of this vulnerability and take necessary precautions.
Technical summary
The vulnerability is caused by a lack of proper input validation in the getStatus function of the GradeController. An attacker can exploit this vulnerability by manipulating the nic argument, leading to SQL injection.
Defensive priority
LOW
Recommended defensive actions
- Update to the latest version of Kushan2k student-management-system if available.
- Implement proper input validation and sanitization for user input.
- Use prepared statements to prevent SQL injection attacks.
Evidence notes
The vulnerability was reported to the project early through an issue report, but has not been responded to yet.
Official resources
CVE-2026-11475 was published on 2026-06-08T02:16:23.577Z and modified on 2026-06-08T14:57:14.757Z.