CVE-2026-9517 — AI Deep Analysis Summary

🚨 **Essence**: Access Control Failure. Attackers can access the 'Add Student' view page without logging in.…

🛡️ **Root Cause**: Missing authentication logic. In the `/index.php/students/addStudentView` path, user sessions or permission tokens are not correctly validated, resulting in **unauthorized access**.

📦 **Impact Scope**: The **CodeIgniter-StudentManagementSystem** developed by `hemant6488`. Due to the rolling release model, **all versions** may be affected, with no specific version number identified.

🕵️ **Attacker Capability**: Direct access to the management interface. Can perform **illegal student additions**, view internal structures, etc.…

🚪 **Exploitation Difficulty**: **Very Low**. CVSS rating `AV:N/AC:L/PR:N/UI:N`. No authentication required (PR:N), no user interaction required (UI:N), exploitable remotely directly.

💣 **Exploit Status**: **Available**. Related exploit code has been publicly disclosed (see VulDB submission #814277 and GitHub Issue #5); attackers can quickly reproduce the exploitation.

🔍 **Self-Check Method**: Directly access `http://target/index.php/students/addStudentView`. If the form or page content is visible without logging in, the vulnerability exists.

🚫 **Official Fix**: **Not Fixed**. The project has been made aware of the issue, but there has been **no response** so far, and no patch has been released. The rolling release model makes patching more complex.

🛠️ **Temporary Workaround**: In the Web server configuration (Nginx/Apache), **block external access** to the `/students/addStudentView` path. Or implement WAF rules to intercept this URI.

⚠️ **Priority**: **High**. Although the total CVSS score is not high, it is **exploitable without authentication** and **unpatched**.…