Security Advisory - Published 2026-06-08 - File upload RCE
Student Management System CVE-2026-11474: Unrestricted Upload Self-Check
CVE-2026-11474 affects Kushan2k student-management-system. The public
report points to the registration image field stimg: server-side code
saves uploaded files into public/profiles/ after checking size, but
without enough file type validation. If PHP runs in that public folder, an uploaded
"image" can become code execution.
What is affected
- Product: Kushan2k student-management-system
- CVE: CVE-2026-11474
- Component: registration endpoint / student image upload
- Reported files:
service/RegisterService.phpandcontrollers/RegisterController.php - Argument:
stimg - Weakness: unrestricted upload of a dangerous file type, mapped to CWE-434 / CWE-284 in public metadata
- Public exploit signal: yes
- Known exploited in CISA KEV: no, as of this publication
The dangerous condition is simple: an upload field accepts a file, stores it under a public directory, and the web server is willing to execute that file as PHP. That turns a profile image feature into a backdoor path.
10-minute self-check
Step 1: Confirm the project and registration route
Search the application folder for the reported files. If the project is no longer used, shut down the public vhost and archive the code offline.
find /var/www /home /www -path "*student-management-system*" -type d 2>/dev/null
find /var/www /home /www \( -path "*RegisterService.php" -o -path "*RegisterController.php" \) -type f 2>/dev/null Step 2: Inspect upload handling
From the project root, search the upload path and field name:
grep -R "stimg\|move_uploaded_file\|public/profiles" service controllers -n 2>/dev/null
Risk signs: only checking file size, reusing the original filename, saving directly
below public/profiles/, no extension allowlist, no MIME/content check,
and no randomized server-side filename.
Step 3: Hunt existing PHP files in the profile directory
Check for executable extensions under the public profile folder:
find /path/to/student-management-system/public/profiles -type f \( -name "*.php" -o -name "*.phtml" -o -name "*.phar" -o -name "*.php5" \) -ls Any match is suspicious. Preserve the file path, timestamp, owner, and web logs before deleting it. If you find a web shell, this is already an incident.
Step 4: Check web logs for profile execution
Search web-server logs for requests to uploaded PHP-like files:
grep -R "public/profiles/.*\.php\|public/profiles/.*\.phtml\|public/profiles/.*\.phar" /var/log/nginx /var/log/apache2 /usr/local/apache/logs 2>/dev/null | tail -50
Requests returning 200 from upload paths are the strongest signal. Also check for
POST requests to the registration controller followed by a GET request to a new
file in public/profiles.
Safe fix path
- Disable public registration temporarily. Stop new uploads while you inspect existing files.
- Block PHP execution in upload folders. Upload directories should serve static files only.
- Use an allowlist. Accept only expected image extensions and validate content with a server-side image library.
- Rename files on the server. Use random names, not user-supplied names.
- Store uploads outside the web root if possible. Serve them through a controlled download/image route.
- Scan and preserve evidence. If any executable upload exists, keep logs and rotate secrets before cleanup.
Temporary server hardening
For Nginx, deny PHP execution under the profile directory:
location ~ ^/public/profiles/.*\.(php|phtml|phar|php5)$ {
return 403;
} For Apache, put a deny rule inside the upload directory or the vhost:
<Directory "/path/to/student-management-system/public/profiles">
<FilesMatch "\.(php|phtml|phar|php5)$">
Require all denied
</FilesMatch>
</Directory> Test the rule with a harmless text file and a known static image. Existing profile photos should still load; PHP-like uploads should not execute.
When to treat it as an incident
- You find
.php,.phtml,.phar, or similar files inpublic/profiles. - Logs show requests to executable files under the profile upload path.
- The database has new admins, changed student records, or suspicious exports.
- Other sites on the same hosting account share writable directories or database credentials.
- You cannot prove whether uploaded files were only stored or actually executed.
Ping7 repair path
Ping7 can review the upload route, check for web shells, add upload-directory
execution blocks, and write a small cleanup plan. Start from
CVE Repair and include the domain, hosting type, and
whether public/profiles contains any PHP-like files.