PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-11476 Kushan2k CVE debrief

CVE-2026-11476 is an improper authorization vulnerability in Kushan2k student-management-system up to f16a4ceaddd6729c4b306ed4641cda3176c1ef2a. The vulnerability affects the function edit-admin of the file controllers/AdminController.php of the component Profile Update Endpoint. The manipulation of the argument isadmin leads to improper authorization. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The project was informed of the problem early through an issue report but has not responded yet.

Vendor
Kushan2k
Product
student-management-system
CVSS
LOW 2.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-08
Original CVE updated
2026-06-08
Advisory published
2026-06-08
Advisory updated
2026-06-08

Who should care

Administrators and users of Kushan2k student-management-system up to f16a4ceaddd6729c4b306ed4641cda3176c1ef2a should be aware of this vulnerability and take necessary precautions to prevent exploitation.

Technical summary

The vulnerability has a CVSS score of 2.1 and a CVSS severity of LOW. The CVSS vector is CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. The weaknesses associated with this vulnerability are CWE-266 and CWE-285.

Defensive priority

LOW

Recommended defensive actions

  • Update to a version that includes a fix for this vulnerability, if available.
  • Restrict access to the Profile Update Endpoint to prevent unauthorized access.
  • Monitor the system for suspicious activity.

Evidence notes

The vulnerability was detected in Kushan2k student-management-system up to f16a4ceaddd6729c4b306ed4641cda3176c1ef2a. The project was informed of the problem early through an issue report but has not responded yet.

Official resources

CVE-2026-11476 was published on 2026-06-08T02:16:23.747Z and modified on 2026-06-08T14:57:14.757Z.