HIGH 7.3

CVE-2026-10110: SQL Injection in code-projects Student Details Management System 1.0

A SQL injection vulnerability exists in code-projects Student Details Management System version 1.0 affecting the /index.php file. An attacker can manipulate the 'roll' parameter to inject arbitrary SQL commands, potentially accessing, modifying, or deleting sensitive student records. The vulnerability requires no authentication and can be exploited remotely over the network. Public exploit code is already available, increasing the risk of active exploitation.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-74, CWE-89
Affected products
0 configuration(s)
Published / Modified
2026-05-30 / 2026-06-17

NVD description (verbatim)

A vulnerability was detected in code-projects Student Details Management System 1.0. This affects an unknown function of the file /index.php. Performing a manipulation of the argument roll results in sql injection. The attack is possible to be carried out remotely. The exploit is now public and may be used.

5 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10110 is a SQL injection vulnerability (CWE-89) triggered via unsafe handling of the 'roll' parameter in /index.php of the Student Details Management System. The vulnerability stems from improper input validation and neutralization (CWE-74), allowing attackers to craft malicious SQL queries. The CVSS 3.1 score of 7.3 (HIGH severity) reflects the network-accessible nature (AV:N), low attack complexity (AC:L), absence of privilege requirements (PR:N), and the combined impact on confidentiality, integrity, and availability (C:L/I:L/A:L). The lack of user interaction (UI:N) and unchanged scope (S:U) indicate a straightforward exploitation path.

Business impact

Organizations deploying this system face significant operational and reputational risk. Attackers can exfiltrate sensitive student data including personally identifiable information (PII), potentially triggering data protection compliance violations and privacy breaches. Malicious modification of student records could corrupt institutional data integrity, disrupt academic operations, and erode stakeholder trust. In educational settings handling minors, breaches carry heightened regulatory scrutiny under laws such as FERPA in the United States.

Affected systems

The vulnerability affects code-projects Student Details Management System version 1.0. Organizations running this application—particularly educational institutions, training centers, and administrative bodies managing student records—should immediately identify and audit affected deployments. The vendor information was not disclosed in available advisories; administrators should verify the exact product lineage and installed versions within their infrastructure.

Exploitability

Exploitation is feasible and likely underway. The attack requires no authentication, low technical skill to execute, and can be performed remotely via HTTP. The public availability of working exploit code significantly lowers the barrier to entry for opportunistic attackers. The straightforward nature of SQL injection in a parameter-based input vector means exploitation can be achieved through basic fuzzing or publicly available payloads without sophisticated tooling.

Remediation

Immediate remediation is essential given the public exploit availability and HIGH severity rating. Organizations should prioritize upgrading to a patched version as provided by code-projects; verify the specific patch version number against the vendor's security advisory. If upgrades cannot be immediately deployed, implement compensating controls: deploy a Web Application Firewall (WAF) with SQL injection detection rules, restrict network access to the application via firewall policies, and apply input validation and parameterized query enforcement at the application layer. Monitor access logs and database activity for signs of exploitation.

Patch guidance

Contact code-projects for the latest patched version of Student Details Management System addressing this vulnerability. Apply patches in a non-production environment first to validate compatibility and functionality. Given the public exploit, treat this as a priority-one patch regardless of normal change management windows. Verify the patch version number against the vendor advisory before deployment to ensure you are receiving an authentic, complete fix. After patching, conduct database integrity checks to detect any unauthorized modifications that may have occurred during the vulnerability window.

Detection guidance

Monitor web server access logs for suspicious patterns in the /index.php endpoint, particularly requests containing SQL keywords (SELECT, UNION, INSERT, DROP) in the 'roll' parameter or URL-encoded variants thereof. Deploy or configure your WAF to alert on known SQL injection payloads and suspicious SQL syntax in HTTP parameters. Review database query logs and audit trails for unexpected or anomalous queries originating from the application layer. Use intrusion detection systems (IDS) to flag inbound traffic matching SQL injection signatures. Establish baseline traffic patterns pre-patch to identify anomalies post-exploitation. Additionally, monitor student record databases for unauthorized access, deletions, or modifications, particularly on timestamp and change-tracking fields.

Why prioritize this

This vulnerability merits immediate attention due to the combination of HIGH CVSS severity, public exploit availability, zero authentication requirements, and remote network accessibility. The sensitivity of educational data, regulatory compliance implications (FERPA, GDPR, state privacy laws), and operational disruption potential make this a critical risk. The absence of compensating controls in typical deployments and the ease of exploitation compound urgency. Organizations should treat this as a priority-one incident response item.

Risk score, explained

The CVSS 3.1 score of 7.3 (HIGH) reflects a critical threat profile: Network-accessible (AV:N) with no authentication barrier (PR:N), the attack complexity is minimal (AC:L), no user interaction is required (UI:N), and the impact spans confidentiality, integrity, and availability across the security scope (C:L/I:L/A:L). While the impact ratings are 'Low' individually, the cumulative effect—combined with ease of exploitation and public exploits—justifies the HIGH severity classification and the urgent remediation posture recommended.

Frequently asked questions

Can this vulnerability be exploited without an internet connection or from inside a firewall?

Yes. The vulnerability is network-accessible (AV:N), meaning it can be exploited from any system with network connectivity to the affected instance. If the application is exposed on the public internet, it is exploitable remotely. If the application runs only on internal networks, the risk is constrained to internal threats; however, it remains exploitable by any authenticated or unauthenticated user with network access to that segment.

What data is at highest risk if this vulnerability is exploited?

Student records are the primary target, including names, contact information, roll numbers, academic history, grades, and any PII stored in the system. Attackers can also potentially access configuration data, other users' accounts, or even delete records entirely depending on database permissions assigned to the web application's database user.

Is upgrading the only way to fix this?

Upgrading to a patched version is the definitive fix. However, if an immediate upgrade is not possible, temporary mitigation includes deploying a WAF with SQL injection rules, restricting network access via firewall, implementing strict input validation, and using prepared statements or parameterized queries at the application code level if source code is accessible.

Does this vulnerability require the attacker to be logged in?

No. The vulnerability requires no authentication (PR:N in CVSS terms). An unauthenticated attacker can exploit it remotely, making the attack surface significantly larger and the risk more acute.

This analysis is provided for informational and defensive purposes only. The vulnerability details, CVSS score, affected versions, and patch guidance are derived from public security advisories and the CVE record. Organizations should verify all patch version numbers, compatibility information, and deployment guidance directly with code-projects' official security advisory before implementation. SEC.co does not provide legal advice; organizations subject to data protection regulations should consult legal counsel regarding breach notification and compliance obligations. No exploit code or weaponized proof-of-concept is provided or intended. Responsible disclosure principles should be followed if additional vulnerabilities are discovered. This analysis is current as of the publication date and may be updated as new information becomes available. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).