CVE-2026-10225: SQL Injection in PHP Student Management System Login
A SQL injection vulnerability exists in raisulislamg4's student management system (PHP-based). An attacker can manipulate the Username parameter in the login_check.php file to inject malicious SQL commands. The vulnerability is network-accessible, requires no authentication, and doesn't require user interaction. Exploit code is publicly available. The project uses a rolling release model, making it difficult to track specific patched versions.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-74, CWE-89
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
A vulnerability was detected in raisulislamg4 student_management_system_by_php up to 310d950e09013d5133c6b9210aff9444382d16d1. This issue affects some unknown processing of the file login_check.php of the component Login. Performing a manipulation of the argument Username results in sql injection. The attack may be initiated remotely. The exploit is now public and may be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10225 is a SQL injection flaw (CWE-89, CWE-74) in the login component of a PHP student management system. The vulnerability exists in login_check.php where insufficient input validation on the Username parameter allows an attacker to craft SQL injection payloads. The attack vector is network-based (AV:N), has low attack complexity (AC:L), requires no privileges (PR:N) or user interaction (UI:N), and operates in the changed scope context with partial impact on confidentiality, integrity, and availability (C:L/I:L/A:L).
Business impact
Unauthorized database access could expose sensitive student records, administrative credentials, and personal information. An attacker could modify grades, enroll/remove students, or corrupt attendance records. The confidentiality breach exposes educational records; the integrity impact enables data manipulation; potential availability issues could disrupt system operations during an active attack or data exfiltration.
Affected systems
The student management system (raisulislamg4/student_management_system_by_php) up to commit 310d950e09013d5133c6b9210aff9444382d16d1 is affected. Because the project uses a rolling release model, specific version numbers are not available. Any deployment of this system without patches beyond the identified commit is vulnerable. Educational institutions running this open-source system are the primary targets.
Exploitability
This vulnerability is highly exploitable. No authentication is required to reach the login_check.php endpoint, attack complexity is low, and the exploit is publicly available. Remote exploitation over the network is straightforward—an attacker can craft malicious SQL through the Username field without special access or user interaction. The public availability of exploit code significantly increases the practical risk.
Remediation
The project has been notified but has not yet responded with a patch. Organizations should: (1) monitor the project repository for security commits beyond the vulnerable commit hash, (2) implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns in the Username parameter, (3) consider a security code review and patch in-house if timely upstream fixes are not forthcoming, and (4) restrict network access to the login_check.php endpoint to authorized IP ranges if operationally feasible.
Patch guidance
No official patch version is currently available due to the rolling release model and lack of upstream response. Verify the project repository for any security-related commits after commit 310d950e09013d5133c6b9210aff9444382d16d1. In the interim, apply input validation and parameterized queries locally if you maintain a fork, or restrict access via network controls. Monitor the project's GitHub issues and commit history for security updates.
Detection guidance
Monitor authentication logs for unusual SQL syntax patterns in Username fields (e.g., quotes, SQL keywords, comment sequences). Deploy WAF signatures targeting common SQL injection payloads. Log and alert on failed login attempts with special characters or multi-statement queries. Network-based detection should flag requests to login_check.php containing UNION, SELECT, OR, DROP, or other SQL keywords in the Username parameter.
Why prioritize this
HIGH severity due to (1) unauthenticated network-accessible SQL injection, (2) public exploit availability accelerating real-world attack risk, (3) sensitive data exposure (student records, grades, personal information), (4) integrity compromise enabling unauthorized modifications, (5) lack of upstream patch response necessitating urgent defensive measures, and (6) low attack complexity reducing attacker skill requirements.
Risk score, explained
CVSS 3.1 score of 7.3 (HIGH) reflects unauthenticated remote exploitation (AV:N/PR:N/UI:N) with low complexity (AC:L). The unchanged scope (S:U) and partial impact on confidentiality, integrity, and availability (C:L/I:L/A:L) justify the elevated rating. Public exploit availability and lack of vendor response push this from a medium concern to an urgent remediation priority.
Frequently asked questions
Can this vulnerability be exploited without network access?
No. The attack vector is network-based (AV:N), meaning an attacker must reach the login_check.php endpoint remotely. However, no authentication is required, and the endpoint is typically internet-facing on student management systems.
What does 'rolling release model' mean for patching?
The project does not issue numbered version releases. Instead, it continuously updates the main codebase. This makes it harder to track whether a deployment is patched—you must compare your commit hash against the repository history to verify if a security fix has been applied.
Is it safe to update to the latest commit?
Verify against the project repository and commit history. Since the vulnerability was reported but not yet addressed by the maintainer, the latest commit may not include a fix. Review each recent commit's changelog and test in a staging environment before production deployment.
What input validation would stop this attack?
Use parameterized queries (prepared statements) with bound parameters instead of string concatenation. Additionally, implement strict allowlist validation on the Username field (alphanumeric characters, standard symbols only) and reject any input containing SQL keywords or special characters outside the expected format.
This analysis is based on publicly available vulnerability data as of the publication date. No official patch is currently available; verify against the project repository and official vendor advisories before taking action. This content is for informational purposes and does not constitute professional security advice. Organizations should conduct their own risk assessment and testing in isolated environments. SEC.co makes no warranty regarding the accuracy or completeness of exploit information or patch availability. Always validate vulnerability findings and patch applicability in your specific environment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10110HIGHSQL Injection in code-projects Student Details Management System 1.0
- CVE-2026-10111HIGHSQL Injection in sambitraj STUDENT-MANAGEMENT-SYSTEM 1.0 Login
- CVE-2026-10178HIGHSQL Injection in code-projects Online Music Site 1.0 Admin Panel
- CVE-2026-10184HIGHSQL Injection in SourceCodester Hospitals Patient Records System 1.0
- CVE-2026-10185HIGHSQL Injection in SourceCodester Hospitals Patient Records Management System 1.0
- CVE-2026-10186HIGHSQL Injection in Online Hospital Management System 1.0 – Remote Code Execution Risk
- CVE-2026-10208HIGHSQL Injection in Online Hospital Management System Login
- CVE-2026-10226HIGHSQL Injection in raisulislamg4 Student Management System – Exploitation & Remediation