Skip to content
Threat Feed
high threat

CVE-2026-9517: CodeIgniter-StudentManagementSystem Improper Access Control

A vulnerability in hemant6488 CodeIgniter-StudentManagementSystem allows remote attackers to perform improper access controls by manipulating the /index.php/students/addStudentView file, with a publicly available exploit and no vendor response.

A vulnerability, identified as CVE-2026-9517, exists within hemant6488’s CodeIgniter-StudentManagementSystem. Specifically, the vulnerability resides in an unknown function of the /index.php/students/addStudentView file within the Student Management Handler component. Successful exploitation enables remote attackers to bypass intended access restrictions. The exploit is publicly accessible, increasing the risk of widespread abuse. The lack of version information due to the rolling release model complicates patch management. The project maintainers were notified of the vulnerability through an issue report but have yet to respond, leaving systems vulnerable.

Attack Chain

  1. An attacker identifies a vulnerable CodeIgniter-StudentManagementSystem instance exposed on the network.
  2. The attacker crafts a malicious HTTP request targeting the /index.php/students/addStudentView endpoint.
  3. The request manipulates parameters to bypass access control checks within the application.
  4. The application fails to properly validate the attacker’s permissions due to the vulnerability.
  5. The attacker gains unauthorized access to student management functions.
  6. The attacker leverages the access to view, modify, or delete student records.
  7. The attacker escalates privileges within the application to gain further control.
  8. The attacker may pivot to other parts of the system, potentially compromising sensitive data.

Impact

Successful exploitation of CVE-2026-9517 allows unauthorized individuals to manipulate student data within the CodeIgniter-StudentManagementSystem. This can lead to data breaches, unauthorized modifications of records, and potentially complete system compromise. The absence of a patch and public exploit availability increase the risk of widespread exploitation. The lack of version information hinders targeted mitigation efforts.

Recommendation

  • Monitor web server logs for suspicious requests to /index.php/students/addStudentView containing unusual parameters, using the Sigma rule provided below.
  • Implement rate limiting on the /index.php/students/addStudentView endpoint to mitigate potential brute-force attacks.
  • Apply generic web application firewall (WAF) rules to block common access control bypass attempts, such as path traversal or SQL injection.
  • Consider migrating to a supported student management system or implementing compensating controls until a patch is available for CVE-2026-9517.

Detection coverage 2

Detect CVE-2026-9517 Attempt — Suspicious Access to addStudentView

high

Detects CVE-2026-9517 exploitation attempt — access to the addStudentView endpoint with potentially malicious parameters

sigma tactics: persistence, privilege_escalation techniques: T1555 sources: webserver

Detect CVE-2026-9517 Attempt — Abnormal HTTP Method to addStudentView

medium

Detects CVE-2026-9517 exploitation attempt — non-GET/POST requests to the addStudentView endpoint

sigma tactics: persistence, privilege_escalation techniques: T1555 sources: webserver

Detection queries are available on the platform. Get full rules →