Description
PHP-MYSQL-User-Login-System v1.0 was discovered to contain a SQL injection vulnerability via the username parameter at login.php.
Published: 2026-04-10
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection Granting Unauthorized Data Access
Action: Immediate Patch
AI Analysis

Impact

A SQL injection flaw in the username parameter of login.php allows an attacker to inject arbitrary SQL commands into the authentication query. This enables the attacker to read, modify, or delete database records, potentially gaining unauthorized access to sensitive user data and escalating privileges if the database user has elevated rights.

Affected Systems

The vulnerability exists in the PHP-MYSQL-User-Login-System version 1.0, a publicly available web application with no listed vendor. The affected component is the login.php script that processes user credentials.

Risk and Exploitability

With a CVSS score of 9.8 the flaw is critical, while the EPSS score of less than 1% suggests current exploitation activity is low but still possible. The system is not listed in CISA's KEV catalog. The likely attack vector is a web request directed at the login endpoint; an attacker submits a crafted username payload to manipulate the SQL query. If the vulnerability is exploited, the attacker can exfiltrate data or compromise the entire database.

Generated by OpenCVE AI on April 14, 2026 at 15:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a patched version of the PHP-MYSQL-User-Login-System if one is available.
  • Validate and sanitize all user-supplied input, especially the username field.
  • Replace string concatenation with prepared statements or parameterized queries to build SQL commands.
  • If a patch cannot be applied immediately, restrict external access to the login page and monitor logs for suspicious activity.

Generated by OpenCVE AI on April 14, 2026 at 15:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Title SQL Injection Vulnerability in PHP-MYSQL User Login System

Tue, 14 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Title SQL Injection Vulnerability in PHP-MYSQL User Login System
Weaknesses CWE-89

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Keerti1924
Keerti1924 php-mysql-user-login-system
Vendors & Products Keerti1924
Keerti1924 php-mysql-user-login-system

Fri, 10 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description PHP-MYSQL-User-Login-System v1.0 was discovered to contain a SQL injection vulnerability via the username parameter at login.php.
References

Subscriptions

Keerti1924 Php-mysql-user-login-system
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-14T14:08:36.518Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-29861

cve-icon Vulnrichment

Updated: 2026-04-14T14:08:28.839Z

cve-icon NVD

Status : Deferred

Published: 2026-04-10T15:16:23.477

Modified: 2026-04-27T19:18:46.690

Link: CVE-2026-29861

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:36:39Z

Weaknesses