Analyst readout for executives and security teams
Plain-English summary
CVE-2026-9517 is an improper access-control flaw in hemant6488 CodeIgniter-StudentManagementSystem. A remote unauthenticated attacker may be able to reach the student add view without proper authorization. Public disclosure exists, but the sources do not show CISA KEV listing or confirmed real-world exploitation.
Executive priority
Prioritize this as a high-risk exposure issue for any deployed instance. The combination of remote unauthenticated access, public disclosure, unclear fixed versions, and no maintainer response creates near-term operational risk, especially for internet-facing school or student data systems.
Technical view
The reported issue affects /index.php/students/addStudentView in the Student Management Handler. VulDB assigns CVSS v2 7.5 with network access, low complexity, no authentication, and partial confidentiality, integrity, and availability impact. Affected release mapping is unclear because the project uses rolling releases and the maintainer has not responded.
Likely exposure
Exposure is most likely where this open-source student management system is deployed on internet-facing or broadly reachable web servers. Version-based matching is unreliable; the bundle names specific commit hashes but says updated release information is unavailable.
Exploitation context
The source bundle says exploit details have been publicly disclosed and may be used. It does not provide evidence of active exploitation, and kev is false. Treat public exposure as urgent but avoid assuming compromise without logs or other evidence.
Researcher notes
Evidence is based on CVE and VulDB reporting. The function is not named, fix status is not established, and affected versioning is commit-based rather than release-based. Do not infer broader CodeIgniter impact; the report is specific to hemant6488 CodeIgniter-StudentManagementSystem.
Mitigation direction
- Check the vendor repository and issue tracker for updated guidance or a fixed commit.
- Remove public access to the application until access control is verified.
- Restrict the student management routes to trusted networks or authenticated users.
- If maintaining a fork, enforce server-side authorization on student creation views.
- Monitor web logs for unexpected access to the affected student route.
Validation and detection
- Inventory deployments of hemant6488 CodeIgniter-StudentManagementSystem, including forks and copied code.
- Confirm whether /index.php/students/addStudentView is reachable without an authorized session.
- Map deployed code to the listed affected commits where possible.
- Review authentication and authorization checks around Student Management Handler routes.
- Check logs for unauthenticated or unusual access to the affected route.
Public sources used
Based on public source material and reviewed before publication.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CWE-266: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupCWE-284: Authorization and privilege behavior lookup
Authorization weaknesses can support privilege escalation and valid-account review, depending on exploit path. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupCVE-2026-9517 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- High
- CVSS
- 7.5 (2.0)
- Known Exploited
- No
- Published
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
SSVC decision data
CVSS vector scores
4 official scoresWe collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR 10 6.4 VulDB CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R 3.9 3.4 VulDB CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R 3.9 3.4 VulDB CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P — — VulDB Vulnerability scoring details
Base CVSS 4.0 score
6.9 MediumVector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
Base CVSS 3.1 score
7.3 HighVector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
Base CVSS 3.0 score
7.3 HighVector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
Base CVSS 2.0 score
7.5 HighVector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
- Source timeline VulDB
Advisory disclosed
- Source timeline VulDB
VulDB entry created
- CVE reserved CVE Program
The CVE ID was reserved by the assigning CNA.
- Source timeline VulDB
VulDB entry last update
- CVE published CVE Program
The CVE record was published.
- CVE updated CVE Program
The CVE record metadata indicates this as the latest update time.
ADP provider summaries
Source materials
- CVE List V5 source CVE List V5
- VDB-365537 | hemant6488 CodeIgniter-StudentManagementSystem Student Management addStudentView access control CVE reference, VulDB · vdb-entry
- VDB-365537 | CTI Indicators (IOB, IOC, TTP, IOA) CVE reference, VulDB · signature, permissions-required
- Submit #814277 | hemant6488 CodeIgniter-StudentManagementSystem 1.0 Unauthenticated Access CVE reference, VulDB · third-party-advisory
- https://github.com/hemant6488/CodeIgniter-StudentManagementSystem/issues/5 CVE reference, VulDB · exploit, issue-tracking
- https://github.com/hemant6488/CodeIgniter-StudentManagementSystem/ CVE reference, VulDB · product
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE mapping pending import
This CVE carries a CWE mapping that will resolve to a full Glexia CWE intelligence page after the official CWE import is complete.
CWE mapping pending import
This CVE carries a CWE mapping that will resolve to a full Glexia CWE intelligence page after the official CWE import is complete.