CVE-2026-10227: SQL Injection in Student Management System User Creation Handler
A SQL injection vulnerability exists in the student management system by raisulislamg4 (up to commit 310d950e) that allows unauthenticated attackers to manipulate the role parameter in the user creation process. An attacker can submit malicious input through the add_user_check.php endpoint to execute arbitrary SQL commands, potentially reading, modifying, or deleting database contents. The vulnerability has been publicly disclosed and proof-of-concept information is available, increasing the likelihood of active exploitation.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-74, CWE-89
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
A vulnerability has been found in raisulislamg4 student_management_system_by_php up to 310d950e09013d5133c6b9210aff9444382d16d1. The affected element is an unknown function of the file add_user_check.php of the component User Creation Handler. The manipulation of the argument role leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The project was informed of the problem early through an issue report but has not responded yet.
7 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability resides in add_user_check.php's User Creation Handler component, where the 'role' argument is processed without proper input validation or parameterized queries. This classic SQL injection (CWE-89) combined with improper input neutralization (CWE-74) allows an unauthenticated remote attacker to inject SQL syntax. The CVSS v3.1 score of 7.3 (HIGH) reflects the network-accessible nature, absence of authentication requirements, and the attack's ability to compromise confidentiality, integrity, and availability of the underlying database. No authentication or user interaction is required to exploit this flaw.
Business impact
If this student management system processes enrollment data, grades, or personally identifiable information (PII) of students and staff, a successful SQL injection attack could result in unauthorized access to sensitive educational records, unauthorized modifications to student accounts or grades, or complete database corruption. Organizations relying on this system face potential regulatory violations (FERPA, GDPR), reputational damage, and operational disruption. The public disclosure of the vulnerability and availability of exploitation details elevate the risk of opportunistic attacks.
Affected systems
The raisulislamg4 student_management_system_by_php is affected up to commit 310d950e09013d5133c6b9210aff9444382d16d1. Because the project follows a rolling release model, no specific version numbers or patch versions have been officially designated. All instances running this codebase at or before the noted commit are vulnerable. Systems using older snapshots or branches that haven't incorporated fixes are at risk.
Exploitability
Exploitability is high. The vulnerability requires no authentication, no user interaction, and no special network positioning—it is exploitable directly over the network from an unauthenticated attacker. The public disclosure and availability of proof-of-concept information mean that attack tooling and techniques are likely documented or in circulation. The straightforward nature of SQL injection in a user-creation endpoint makes this accessible to both skilled and moderately skilled attackers. No CISA KEV listing currently exists, but the public disclosure status should elevate monitoring priority.
Remediation
Immediate remediation requires code review and patching of add_user_check.php. Implement prepared statements or parameterized queries for all database interactions involving user-supplied input, particularly the 'role' parameter. Apply robust input validation and whitelist acceptable role values. The project maintainers have been notified but have not yet responded; organizations should not wait for an official patch and instead perform immediate code assessment or consider deploying a Web Application Firewall (WAF) to block SQL injection patterns as a temporary control. If possible, restrict network access to the user creation endpoint.
Patch guidance
Because the student management system follows rolling releases, check the project's repository (raisulislamg4/student_management_system_by_php) for any commits after 310d950e that address SQL injection in add_user_check.php. Apply the latest version from the main development branch if available. Verify against the vendor advisory or repository changelog to confirm the fix is included. In the absence of an official patch, implement the technical controls described above (parameterized queries, input validation) directly in your environment or consider forking and patching the code internally if you maintain a local instance.
Detection guidance
Monitor add_user_check.php access logs for requests containing SQL metacharacters (quotes, semicolons, UNION, SELECT, etc.) in the 'role' parameter. Deploy Web Application Firewall (WAF) rules to detect and block common SQL injection payloads. Enable database query logging to identify suspicious or unusual SQL commands that deviate from expected user-creation patterns. Alert on failed database connection attempts or unexpected database permission errors that might indicate exploitation attempts. Network-based intrusion detection signatures targeting SQL injection in HTTP parameters should be tuned and enabled.
Why prioritize this
This vulnerability merits immediate prioritization due to the combination of a HIGH CVSS score (7.3), unauthenticated network exploitability, public disclosure, and the sensitive nature of the data typically stored in student management systems (PII, academic records). The lack of official patch status and unresponsive maintainers means organizations cannot rely on a vendor update timeline and must take independent action. Any internet-facing instance should be treated as critically exposed.
Risk score, explained
The CVSS v3.1 score of 7.3 reflects: (1) Network accessibility (AV:N) with no authentication (PR:N) or user interaction (UI:N), making the attack straightforward and widely executable; (2) Low attack complexity (AC:L), as SQL injection in web applications is a well-established technique; (3) Impact on all three security objectives—the vulnerability enables attackers to read (Confidentiality), modify (Integrity), and potentially delete (Availability) database contents. The 'U' in Scope (SU) indicates the impact is limited to the vulnerable component, not system-wide, which moderates the score somewhat. The HIGH severity classification is justified given the direct path to unauthorized database manipulation.
Frequently asked questions
Is there an official patch available?
The project maintainers were notified early through an issue report but have not yet responded with a patch. Because the student management system follows a rolling release model without version numbers, no specific patch version has been released. Organizations should check the repository's commit history after 310d950e for fixes and implement immediate mitigations independently rather than waiting for an official release.
Who can exploit this vulnerability?
Any unauthenticated attacker with network access to the add_user_check.php endpoint can attempt exploitation. No special privileges, credentials, or user interaction are required. The public disclosure of this vulnerability means that attack methods and proof-of-concept code are likely available online, making it accessible to attackers of varying skill levels.
What is the impact of a successful attack?
A successful SQL injection attack allows the attacker to execute arbitrary SQL queries against the database. Depending on database permissions, this can result in unauthorized access to student records, grades, and personal information; unauthorized modification or deletion of user accounts or academic data; or complete database compromise. The impact severity depends on what data the student management system stores and the privileges of the database user running the application.
How should I protect my system if I'm using this software?
Implement immediate defensive measures: (1) Restrict network access to add_user_check.php via firewall rules or network segmentation if the endpoint is not required for all users; (2) Deploy WAF rules to detect and block SQL injection attempts; (3) Review and upgrade the codebase from the repository, or apply prepared statements and input validation directly if you maintain a local instance; (4) Enable database query logging and monitor for suspicious commands; (5) Review recent database activity logs for signs of unauthorized access or modification.
This analysis is based on publicly available information as of the publication and modification dates noted (2026-06-01 to 2026-06-17). No exploit code or weaponized proof-of-concept steps are provided. CVSS scores and CWE classifications are sourced from the official vulnerability record and should be verified against the vendor advisory if one becomes available. Organizations are responsible for assessing their own risk and testing mitigations in their specific environments. The lack of official vendor response does not guarantee the vulnerability will remain unpatched indefinitely; always check the project repository for the latest updates. This vulnerability information is provided for defensive and awareness purposes only. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10110HIGHSQL Injection in code-projects Student Details Management System 1.0
- CVE-2026-10111HIGHSQL Injection in sambitraj STUDENT-MANAGEMENT-SYSTEM 1.0 Login
- CVE-2026-10178HIGHSQL Injection in code-projects Online Music Site 1.0 Admin Panel
- CVE-2026-10184HIGHSQL Injection in SourceCodester Hospitals Patient Records System 1.0
- CVE-2026-10185HIGHSQL Injection in SourceCodester Hospitals Patient Records Management System 1.0
- CVE-2026-10186HIGHSQL Injection in Online Hospital Management System 1.0 – Remote Code Execution Risk
- CVE-2026-10208HIGHSQL Injection in Online Hospital Management System Login
- CVE-2026-10225HIGHSQL Injection in PHP Student Management System Login