CVE-2026-5642
Published: 06 April 2026
Summary
CVE-2026-5642 is a high-severity Incorrect Privilege Assignment (CWE-266) vulnerability. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for logical access to prevent improper authorization bypasses via Name argument manipulation in /viva/update.php.
Validates and sanitizes HTTP POST inputs like the Name argument to block manipulation that triggers the authorization flaw.
Enforces least privilege to limit potential damage from successful exploitation of the improper authorization and privilege assignment vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remotely exploitable improper authorization vulnerability in a public-facing web application (HTTP POST handler in Student-Management-System), directly enabling the T1190 technique of exploiting public-facing applications.
NVD Description
A vulnerability was determined in Cyber-III Student-Management-System up to 1a938fa61e9f735078e9b291d2e6215b4942af3f. This affects an unknown function of the file /viva/update.php of the component HTTP POST Request Handler. This manipulation of the argument Name causes improper authorization. It is possible to initiate…
more
the attack remotely. The exploit has been publicly disclosed and may be utilized. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.
Deeper analysisAI
CVE-2026-5642 is an improper authorization vulnerability in the Cyber-III Student-Management-System, affecting commits up to 1a938fa61e9f735078e9b291d2e6215b4942af3f. The issue resides in an unknown function within the file /viva/update.php, part of the HTTP POST Request Handler component. By manipulating the "Name" argument, attackers can bypass authorization controls. The software uses a rolling release model, so no specific affected or patched versions are available.
The vulnerability can be exploited remotely by unauthenticated attackers with low complexity and no user interaction required, as indicated by its CVSS 3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). Successful exploitation allows limited impacts on confidentiality, integrity, and availability, stemming from CWEs 266 (Incorrect Privilege Assignment) and 285 (Improper Authorization).
Advisories from VulDB and the project's GitHub repository note that the vulnerability has been publicly disclosed with an exploit available for use. The issue was reported early via GitHub issue #236, but the project maintainers have not responded or issued patches. Due to the rolling release, users should monitor the repository at https://github.com/Cyber-III/Student-Management-System/ for updates.
The exploit's public availability increases the risk of utilization in the wild, though no confirmed real-world attacks are documented in the provided references.
Details
- CWE(s)