CVE-2026-11530: SQL Injection in imvks786 Student Management System Login
A SQL injection vulnerability exists in the imvks786 student management system's login component. An attacker can manipulate the username and password parameters to inject malicious SQL commands, potentially gaining unauthorized access to the system or extracting sensitive student data. The vulnerability is remotely exploitable without authentication and does not require user interaction, making it a straightforward attack vector. Public exploit code is available, elevating the risk of active exploitation.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-74, CWE-89
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-08 / 2026-06-17
NVD description (verbatim)
A vulnerability was identified in imvks786 student_management_system up to 9599b560ad3c3b83e75d328b76bedcd489ef1f46. This affects an unknown function of the file /index.ph of the component Login. Such manipulation of the argument usr/pwd leads to sql injection. The attack can be executed remotely. The exploit is publicly available and might be used. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The project was informed of the problem early through an issue report but has not responded yet.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability resides in the login functionality (/index.ph) of the student management system, where user-supplied input from the 'usr' and 'pwd' parameters is not properly sanitized before being used in SQL queries. This classic SQL injection flaw (CWE-89) combined with improper input validation (CWE-74) allows attackers to craft malicious payloads that bypass authentication or extract database contents. The product uses a rolling release model, which complicates version tracking and patch identification. As of the last update, the vendor has not publicly responded to the disclosure.
Business impact
A successful exploit could allow unauthorized access to student records, compromising personally identifiable information (PII) and educational data. This exposure creates liability under regulations like FERPA and GDPR, potential reputational damage, and operational disruption. Educational institutions using this system face direct risk to their data governance and student privacy obligations. The public availability of exploit code increases the likelihood of opportunistic attacks targeting deployed instances.
Affected systems
The imvks786 student management system up to commit 9599b560ad3c3b83e75d328b76bedcd489ef1f46 is affected. Exact version numbers are not available due to the rolling release model. Any installation of this system using the vulnerable codebase is at risk. Organizations must consult the project repository or vendor communications to determine their specific exposure.
Exploitability
This vulnerability is highly exploitable. It requires no authentication, no user interaction, and only network access—all conditions typically met in production deployments. The CVSS 3.1 score of 7.3 (High) reflects the combination of remote network attack vector, low complexity, and impact to confidentiality, integrity, and availability. The public availability of exploit code further reduces the barrier to exploitation, making opportunistic and targeted attacks probable.
Remediation
Immediate remediation requires identifying and updating to a patched version of the student management system. Since the project uses rolling releases, consult the imvks786 repository on GitHub or the vendor's security advisory for the specific commit or version that addresses this issue. For organizations unable to update immediately, implement network segmentation to restrict access to the login interface and apply a Web Application Firewall (WAF) rule to block SQL injection patterns in the usr/pwd parameters.
Patch guidance
Check the imvks786 student_management_system repository for commits after 9599b560ad3c3b83e75d328b76bedcd489ef1f46 that address SQL injection in the login component. Deploy any available security patches or updates from the vendor. Given the rolling release model, monitor the project's issue tracker and commit history for confirmation that the vulnerability has been fixed. Implement parameterized queries and prepared statements to prevent future SQL injection issues.
Detection guidance
Monitor authentication logs for unusual login attempts with SQL metacharacters (single quotes, semicolons, SQL keywords like 'UNION', 'OR', etc.) in the username or password fields. Deploy a WAF to detect and block SQL injection patterns. Use database activity monitoring to identify unexpected queries or attempts to access unauthorized tables. Set alerts on failed login attempts from the same source IP, which may indicate SQL injection scanning or exploitation attempts.
Why prioritize this
This vulnerability should be prioritized as HIGH due to its remotely exploitable nature, lack of authentication requirement, public exploit availability, and direct impact on sensitive educational data. The combination of ease of exploitation and business criticality in educational settings demands swift remediation to prevent data breaches and regulatory violations.
Risk score, explained
The CVSS 3.1 score of 7.3 reflects a High-severity vulnerability with critical attack characteristics: remote network-based attack vector (AV:N), low attack complexity (AC:L), no privilege requirements (PR:N), and no user interaction needed (UI:N). The impact includes loss of confidentiality, integrity, and availability (C:L/I:L/A:L), making this a material risk to any organization running the affected system. Public exploit availability increases practical risk beyond the base score.
Frequently asked questions
What is SQL injection and why is it dangerous in a student management system?
SQL injection occurs when an attacker inserts malicious SQL code into input fields, tricking the application into executing unintended database commands. In a student management system, this can allow attackers to bypass login controls, access or modify student records, extract grades, and expose personal information—creating legal and reputational consequences for the institution.
How do I know if my installation is vulnerable?
If you are running the imvks786 student management system at or before commit 9599b560ad3c3b83e75d328b76bedcd489ef1f46, your installation is vulnerable. Due to the rolling release model, consult your deployment logs or repository history to confirm your commit hash. Contact the vendor or check their security advisories for patched versions.
What should I do if I cannot patch immediately?
Implement compensating controls: restrict network access to the login interface using firewall rules, deploy a WAF to block SQL injection patterns, enable detailed authentication and database logging, and monitor for suspicious activity. While these measures reduce risk, they do not eliminate it—patching should remain your priority as soon as feasible.
Will this vulnerability affect my system if it is behind a firewall?
A firewall can restrict who can attempt to exploit this vulnerability, but it does not fix the underlying flaw. If the login interface is accessible to authenticated users or internal networks, malicious insiders or compromised internal systems could still exploit the vulnerability. Patching is the definitive remediation.
This analysis is provided for informational purposes and is based on publicly disclosed vulnerability data and vendor statements as of the publication date. The CVSS score, CWE classifications, and affected versions are sourced from official CVE records and the vendor's disclosure. Patch availability and version information should be verified directly with the imvks786 project or your specific vendor. SEC.co makes no guarantee of exploit accessibility, weaponization status, or real-world exploitation prevalence. Organizations should conduct their own risk assessment and consult with qualified security professionals before implementing remediation strategies. This content does not constitute legal, compliance, or vendor-specific technical advice. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10110HIGHSQL Injection in code-projects Student Details Management System 1.0
- CVE-2026-10111HIGHSQL Injection in sambitraj STUDENT-MANAGEMENT-SYSTEM 1.0 Login
- CVE-2026-10178HIGHSQL Injection in code-projects Online Music Site 1.0 Admin Panel
- CVE-2026-10184HIGHSQL Injection in SourceCodester Hospitals Patient Records System 1.0
- CVE-2026-10185HIGHSQL Injection in SourceCodester Hospitals Patient Records Management System 1.0
- CVE-2026-10186HIGHSQL Injection in Online Hospital Management System 1.0 – Remote Code Execution Risk
- CVE-2026-10208HIGHSQL Injection in Online Hospital Management System Login
- CVE-2026-10225HIGHSQL Injection in PHP Student Management System Login