A vulnerability exists in the Simple Student Alumni System that allows an attacker to inject arbitrary SQL statements through the /TracerStudy/recordteacher_edit.php endpoint. This flaw can lead to unauthorized reading or alteration of database contents, potentially exposing sensitive student and alumni information, and enabling further compromise of the application. The weakness is a classic SQL injection, classified as CWE-89, and presents a high risk to data confidentiality and integrity.

The weakness is present in the Simple Student Alumni System version 1.0, as distributed under the cpe:2.3:a:carmelo:simple_student_alumni_system:1.0. The application is a web-based system, and no other versions or vendors are listed as affected.

The CVSS score of 9.8 marks this flaw as Critical, while the EPSS score of less than 1% indicates a very low probability of exploitation in the wild at the time of analysis. The flaw is not currently listed in the CISA KEV catalog. Although the description does not specify the exact access method, the likely attack vector is remote, via the exposed HTTP endpoint; an attacker could use publicly available or low-privilege access to send malicious input through the form that writes to the database.