Description
In manikandan580 School-management-system 1.0, a time-based blind SQL injection vulnerability exists in /studentms/admin/between-date-reprtsdetails.php through the fromdate POST parameter.
Published: 2026-04-14
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Confidentiality and Integrity of database compromised
Action: Immediate Patch
AI Analysis

Impact

This vulnerability is a time-based blind SQL injection that can be triggered via the fromdate POST parameter in the between-date-reprtsdetails.php script of the school‑management‑system 1.0 application. By sending carefully crafted payloads that induce measurable delays on the server, an attacker can infer database contents, gain unauthorized access to sensitive data, and potentially modify or delete records, thereby compromising both the confidentiality and integrity of the system’s data. The nature of the weakness is a classic SQL injection.

Affected Systems

The affected system is the open‑source School‑management‑system version 1.0. No vendor information beyond the application name is available; the issue appears to live in a community‑maintained codebase.

Risk and Exploitability

The CVSS score of 9.8 indicates a severe impact and easy exploitation. EPSS data is not available, and the vulnerability is not yet listed in the CISA KEV catalog. The likely attack vector is a simple HTTP POST request to the vulnerable endpoint; authentication requirements are not stated, suggesting that the vulnerability may be exploitable by unauthenticated users or users with limited access. The combination of a high severity score, a direct attack path, and the absence of mitigation in the current version places this issue at high risk for exploitation.

Generated by OpenCVE AI on April 14, 2026 at 20:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a patched version of the School‑management‑system where the time‑based blind SQL injection vulnerability is fixed.
  • If no patch is available, modify the fromdate parameter handling to use prepared statements and parameterized queries.
  • Restrict access to the /studentms/admin/ directory to authenticated administrators only.
  • Deploy a web application firewall rule to detect and block time‑based SQL injection patterns targeting between‑date‑reprtsdetails.php.
  • Monitor application logs for unusual query delays or repeated failed injection attempts and respond promptly.

Generated by OpenCVE AI on April 14, 2026 at 20:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Manikandan580
Manikandan580 school-management-system
Vendors & Products Manikandan580
Manikandan580 school-management-system

Wed, 15 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Title Time-Based Blind SQL Injection in Student Management System Admin Endpoint

Tue, 14 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
References
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Description In manikandan580 School-management-system 1.0, a time-based blind SQL injection vulnerability exists in /studentms/admin/between-date-reprtsdetails.php through the fromdate POST parameter.
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:N/S:U/UI:N'}

Subscriptions

Manikandan580 School-management-system
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-14T17:49:30.241Z

Reserved: 2025-11-18T00:00:00.000Z

Link: CVE-2025-65135

cve-icon Vulnrichment

Updated: 2026-04-14T17:48:44.776Z

cve-icon NVD

Status : Deferred

Published: 2026-04-14T16:16:34.503

Modified: 2026-04-17T15:33:34.050

Link: CVE-2025-65135

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T21:03:13Z

Weaknesses