Vulnerabilities ›

CVE-2026-5472

Medium

A flaw has been found in ProjectsAndPrograms School Management System up to 6b6fae5426044f89c08d0dd101c7fa71f9042a59. The affected element is an unknown function of the file /admin_panel/settings.php

CWE-284 — Weakness Type

                    Published: Apr 3, 2026                      ·  Modified: Apr 6, 2026                      ·  Source: NVD                

CVSS v3

6.3

🔗 NVD Official

📄 Description (English)

A flaw has been found in ProjectsAndPrograms School Management System up to 6b6fae5426044f89c08d0dd101c7fa71f9042a59. The affected element is an unknown function of the file /admin_panel/settings.php of the component Profile Picture Handler. This manipulation of the argument File causes unrestricted upload. Remote exploitation of the attack is possible. The exploit has been published and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided.

🤖 AI Executive Summary

CVE-2026-5472 is a medium-severity arbitrary file upload vulnerability in ProjectsAndPrograms School Management System affecting the profile picture handler in /admin_panel/settings.php. The flaw allows remote attackers to upload unrestricted files, potentially leading to remote code execution or system compromise. While no patch is currently available, this vulnerability poses significant risk to educational institutions using this system, particularly in Saudi Arabia where school management systems handle sensitive student and staff data.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 18, 2026 15:17

🇸🇦 Saudi Arabia Impact Assessment

This vulnerability primarily impacts Saudi educational institutions (K-12 schools, universities, and training centers) using ProjectsAndPrograms School Management System. Secondary impact extends to government education ministries (Ministry of Education), private educational providers, and any organization managing student/staff records through this platform. The unrestricted file upload capability could enable attackers to deploy malware, establish persistence, exfiltrate sensitive educational records, or disrupt school operations. Given Saudi Arabia's digital transformation initiatives in education, widespread adoption of such systems increases the attack surface.

🏢 Affected Saudi Sectors

Education (K-12 Schools, Universities, Training Centers) Government (Ministry of Education, Regional Education Departments) Private Educational Institutions EdTech Service Providers

🎯 MITRE ATT&CK Techniques

T1190 - Exploit Public-Facing Application T1199 - Trusted Relationship T1566 - Phishing T1598 - Phishing for Information T1204 - User Execution T1105 - Ingress Tool Transfer T1059 - Command and Scripting Interpreter T1053 - Scheduled Task/Job T1078 - Valid Accounts T1133 - External Remote Services

⚖️ Saudi Risk Score (AI)

6.8

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Identify all instances of ProjectsAndPrograms School Management System in your environment and document the commit hash/version

2. Restrict network access to /admin_panel/settings.php using firewall rules or WAF policies - allow only trusted administrative IPs

3. Implement file upload restrictions at the application level: whitelist only image file types (.jpg, .png, .gif) and validate MIME types server-side

4. Disable file upload functionality in the profile picture handler until a patch is available

5. Review access logs for /admin_panel/settings.php for suspicious file upload attempts (look for non-image extensions: .php, .exe, .sh, .jsp, etc.)

COMPENSATING CONTROLS:

6. Implement Web Application Firewall (WAF) rules to block requests containing executable file extensions in upload parameters

7. Configure file system permissions: ensure upload directories are NOT executable (remove execute permissions)

8. Store uploaded files outside the web root or in a directory with .htaccess/web.config preventing script execution

9. Implement strict Content-Type validation and reject uploads with mismatched file signatures

10. Enable detailed logging and alerting for all file upload attempts to /admin_panel/settings.php

DETECTION RULES:

- Monitor POST requests to /admin_panel/settings.php with File parameter containing suspicious extensions

- Alert on successful uploads of non-image files to profile picture directories

- Track failed authentication attempts followed by upload attempts (potential exploitation)

- Monitor for newly created executable files in upload directories

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. حدد جميع حالات نظام إدارة المشاريع والبرامج المدرسية في بيئتك وقم بتوثيق رقم الالتزام/الإصدار

2. قيد الوصول إلى الشبكة إلى /admin_panel/settings.php باستخدام قواعد جدار الحماية أو سياسات WAF - السماح فقط بعناوين IP الإدارية الموثوقة

3. تطبيق قيود تحميل الملفات على مستوى التطبيق: قائمة بيضاء لأنواع الملفات الصورية فقط (.jpg, .png, .gif) والتحقق من أنواع MIME على جانب الخادم

4. تعطيل وظيفة تحميل الملفات في معالج صور الملف الشخصي حتى يتوفر تصحيح

5. مراجعة سجلات الوصول لـ /admin_panel/settings.php للبحث عن محاولات تحميل ملفات مريبة (ابحث عن الامتدادات غير الصورية: .php, .exe, .sh, .jsp، إلخ)



الضوابط التعويضية:

6. تطبيق قواعد جدار تطبيقات الويب (WAF) لحظر الطلبات التي تحتوي على امتدادات ملفات قابلة للتنفيذ في معاملات التحميل

7. تكوين أذونات نظام الملفات: تأكد من أن دلائل التحميل غير قابلة للتنفيذ (إزالة أذونات التنفيذ)

8. تخزين الملفات المحملة خارج جذر الويب أو في دليل يحتوي على .htaccess/web.config يمنع تنفيذ البرامج النصية

9. تطبيق التحقق الصارم من نوع المحتوى ورفض التحميلات ذات توقيعات الملفات غير المتطابقة

10. تفعيل السجلات التفصيلية والتنبيهات لجميع محاولات تحميل الملفات إلى /admin_panel/settings.php



قواعد الكشف:

- مراقبة طلبات POST إلى /admin_panel/settings.php مع معامل File يحتوي على امتدادات مريبة

- تنبيه عند التحميل الناجح للملفات غير الصورية إلى دلائل صور الملف الشخصي

- تتبع محاولات المصادقة الفاشلة متبوعة بمحاولات التحميل (استغلال محتمل)

- مراقبة الملفات القابلة للتنفيذ المنشأة حديثاً في دلائل التحميل

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

A.5.1.1 - Information Security Policies and Procedures A.5.2.1 - User Access Management A.5.3.1 - Cryptography and Data Protection A.5.4.1 - Physical and Environmental Security A.5.5.1 - Operations Security A.5.6.1 - Communications Security A.5.7.1 - System Development and Maintenance A.5.8.1 - Supplier Relationships A.5.9.1 - Information Security Incident Management

🔵 SAMA CSF

Governance - Policy and Risk Management Protect - Access Control and Authentication Protect - Data Protection and Privacy Detect - Security Monitoring and Logging Respond - Incident Response and Management

🟡 ISO 27001:2022

A.5.1 - Policies for information security A.6.1 - Organization of information security A.8.1 - Asset management A.8.3 - Media handling A.12.2 - Restrictions on software installation A.12.4 - Logging A.12.6 - Management of technical vulnerabilities A.14.2 - Security requirements analysis and specification

🔗 References & Sources 4

🔗

https://github.com/sudo-secure/security-research/blob/main/school-management-system/fil...

cna@vuldb.com

🔗

https://vuldb.com/submit/781791

cna@vuldb.com

🔗

https://vuldb.com/vuln/355076

cna@vuldb.com

🔗

https://vuldb.com/vuln/355076/cti

cna@vuldb.com

📊 CVSS Score

6.3

/ 10.0 — Medium

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityL — Low / Local

IntegrityL — Low / Local

AvailabilityL — Low / Local

📋 Quick Facts

Severity Medium

CVSS Score6.3

CWECWE-284

EPSS0.04%

Exploit No

Patch ✗ No

Published 2026-04-03

Source Feed nvd

🇸🇦 Saudi Risk Score

6.8

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-284

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2026-5472

Introduce Yourself

Sign In Required