CVE-2026-10620 - Vulnerability Details

- code-projects Student Admission System index.php sql injection

Description

A flaw has been found in code-projects Student Admission System 1.0. Affected is an unknown function of the file /index.php. This manipulation of the argument eid/did causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used.

Published: 2026-06-02

Score: 6.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in the Student Admission System 1.0 allows attackers to execute SQL injection via manipulation of the eid and did parameters in the /index.php page. The vulnerability is a classic example of CWE-74 (Improper Neutralization of Special Elements used in an Expression) and CWE-89 (SQL Injection) and can lead to unauthorized data access, data modification, or denial of service. Based on the description, the attack is possible to be carried out remotely by submitting crafted requests to the vulnerable endpoints.

Affected Systems

The affected product is code‑projects Student Admission System version 1.0. The vulnerable function is within /index.php and accepts user-supplied eid/did parameters without proper validation or sanitization.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity vulnerability. The EPSS score is not available, but the fact that an exploit has already been published suggests a higher likelihood of real-world exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers can remotely send crafted requests to the vulnerable endpoint, bypass authentication checks on the input parameters, and execute arbitrary SQL queries against the underlying database.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

code-projects

Student Admission System

affected

Version	Status	Constraints
`1.0`	affected	—

No data.

Vendor Product Confidence Versions

Code-projects

Student Admission System

100%

Version	Status	Scheme	Platform
`1.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Obtain and install the updated Student Admission System version that resolves the SQL injection vulnerability (if available) or request a patch from the maintainers.
Restrict external access to /index.php by applying IP filtering or requiring authentication to limit exposure to unauthorized users.
Configure a web application firewall or implement input‑validation rules to block malicious query strings containing SQL keywords or special characters in the eid/did parameters.

Generated by OpenCVE AI on June 3, 2026 at 04:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00036.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://code-projects.org/
https://github.com/Xu-Zhihan/CVE/issues/12
https://github.com/Xu-Zhihan/CVE/issues/13
https://vuldb.com/cve/CVE-2026-10620
https://vuldb.com/submit/829586
https://vuldb.com/submit/829606
https://vuldb.com/vuln/367928
https://vuldb.com/vuln/367928/cti

History

Wed, 03 Jun 2026 15:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 03 Jun 2026 02:30:00 +0000

Type	Values Removed	Values Added
Description		A flaw has been found in code-projects Student Admission System 1.0. Affected is an unknown function of the file /index.php. This manipulation of the argument eid/did causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used.
Title		code-projects Student Admission System index.php sql injection
First Time appeared		Code-projects Code-projects student Admission System
Weaknesses		CWE-74 CWE-89
CPEs		cpe:2.3:a:code-projects:student_admission_system::::::::
Vendors & Products		Code-projects Code-projects student Admission System
References		https://code-projects.org/ https://github.com/Xu-Zhihan/CVE/issues/12 https://github.com/Xu-Zhihan/CVE/issues/13 https://vuldb.com/cve/CVE-2026-10620 https://vuldb.com/submit/829586 https://vuldb.com/submit/829606 https://vuldb.com/vuln/367928 https://vuldb.com/vuln/367928/cti
Metrics		cvssV2_0 `{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Code-projects Student Admission System

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-06-02T20:15:12.809Z

Updated: 2026-06-03T12:47:15.448Z

Reserved: 2026-06-02T13:56:05.979Z

Link: CVE-2026-10620

Vulnrichment

Updated: 2026-06-03T12:47:11.888Z

NVD

Status : Received

Published: 2026-06-02T21:16:26.367

Modified: 2026-06-02T21:16:26.367

Link: CVE-2026-10620

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-03T10:54:49Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object