HIGH 7.3

CVE-2026-10620: SQL Injection in Student Admission System 1.0

A SQL injection vulnerability exists in code-projects Student Admission System version 1.0. The flaw resides in the /index.php file and can be exploited by manipulating the eid or did parameters. An attacker can inject malicious SQL commands without authentication, potentially reading or modifying sensitive student and admission data. Public exploit code is available, increasing the likelihood of active exploitation.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-74, CWE-89
Affected products
0 configuration(s)
Published / Modified
2026-06-02 / 2026-06-17

NVD description (verbatim)

A flaw has been found in code-projects Student Admission System 1.0. Affected is an unknown function of the file /index.php. This manipulation of the argument eid/did causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used.

8 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10620 is a remote, unauthenticated SQL injection vulnerability affecting Student Admission System 1.0. The vulnerable parameter accepts unsanitized user input in the eid and did arguments passed to an unknown function within /index.php. The vulnerability stems from improper input validation and parameterized query handling (CWE-89), allowing attackers to craft SQL statements that execute arbitrary database commands. The attack vector is network-accessible with no privileges or user interaction required. CVSS v3.1 score of 7.3 (HIGH) reflects low complexity exploitation, partial impact on confidentiality, integrity, and availability, and unchanged scope.

Business impact

Institutions running this admission system face exposure of personally identifiable information (student records, contact details, application data), unauthorized modification of admission records, and potential service disruption. Reputational harm, regulatory compliance violations (FERPA, GDPR, local data protection laws), and litigation risk are significant. Attackers could alter admissions decisions, create fraudulent applications, or extract bulk enrollment data for downstream attacks or sale.

Affected systems

code-projects Student Admission System version 1.0 is confirmed vulnerable. No vendor patch version information is provided in the advisory. Organizations should verify whether they are running this specific version and check the vendor's repository or advisory channel for patches or workarounds. Deployments in production environments should be prioritized for assessment.

Exploitability

This vulnerability is highly exploitable. The attack requires no authentication, no special privileges, and no user interaction. Network accessibility combined with published exploit code and straightforward SQL injection techniques mean exploitation barriers are minimal. Threat actors can perform reconnaissance on exposed instances, extract database contents, or manipulate records. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms ease of exploitation.

Remediation

Immediate actions: (1) Identify all instances of Student Admission System 1.0 in your environment. (2) Contact code-projects for available patches or security updates; apply as soon as tested. (3) Implement network segmentation to restrict /index.php access to trusted networks only. (4) Apply input validation and parameterized queries at the application level as a temporary mitigation. (5) Monitor database logs for suspicious SQL queries. Long-term: upgrade to a patched or supported version, conduct code review for similar injection flaws, and implement web application firewall (WAF) rules to block SQL injection payloads.

Patch guidance

Verify the latest security advisory from code-projects for availability and version numbers of patches. If no official patch exists, prioritize upgrading to the latest available version of the admission system or a maintained alternative. Patches should be tested in a non-production environment first, particularly given the system's criticality to enrollment operations. Document the timeline and rationale for any delay in patching.

Detection guidance

Monitor web server and application logs for: (1) requests to /index.php containing suspicious SQL syntax or encoding (UNION, SELECT, OR 1=1, etc.) in eid or did parameters; (2) unusual database query patterns or errors logged by the application; (3) unexpected data extraction or modification in admission records; (4) failed login attempts followed by SQL injection attempts. Deploy a WAF rule set to alert on SQL injection signatures. Conduct a database audit to identify unauthorized changes to student records post-publication of this CVE.

Why prioritize this

Despite the lack of CISA KEV designation, this vulnerability warrants urgent remediation due to published exploits, public documentation, ease of exploitation, and direct access to sensitive educational records. The combination of high CVSS score, authentication-free attack surface, and data sensitivity places this in the highest tier for internal prioritization. Organizations should treat this as critical if the affected version is in use.

Risk score, explained

CVSS 7.3 (HIGH) reflects the confluence of network accessibility, low attack complexity, absence of privilege or user interaction requirements, and partial impact on confidentiality, integrity, and availability. The published exploit and minimal barriers to entry further elevate practical risk above the baseline CVSS. For educational institutions holding sensitive minor data or handling applications, business risk exceeds the technical score.

Frequently asked questions

What versions of Student Admission System are affected?

Version 1.0 is confirmed vulnerable. Contact code-projects to determine whether newer versions contain fixes or if version 1.0 is still actively supported.

Can this vulnerability be exploited from the internet?

Yes. The vulnerability is remotely exploitable without authentication. Any instance with network exposure (including via the public internet) is immediately at risk.

How can I determine if my instance has been compromised?

Review database audit logs and application logs for the timeframe since CVE-2026-10620 publication (June 2, 2026) for SQL injection attempts, unusual query patterns, or unexpected changes to admission records. Check for unusual new student records or modifications to application statuses.

Is there a workaround if patching is delayed?

Implement strict network access controls (firewall rules, VPN requirement) to restrict /index.php to authorized administrators only. Deploy a WAF with SQL injection detection rules. These are temporary mitigations; patching should not be indefinitely delayed.

This analysis is based on publicly available information as of June 17, 2026. Patch status and vendor guidance may have been updated since publication; verify directly with code-projects and your internal change management processes before applying any remediation. This is not legal or compliance advice; consult with your privacy and legal teams regarding disclosure obligations under FERPA and local data protection regulations. SEC.co does not endorse any specific tools, products, or versions mentioned and recommends thorough testing in isolated environments prior to production deployment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).