Description
A vulnerability was found in code-projects Student Membership System 1.0. The affected element is an unknown function of the file /delete_user.php. The manipulation of the argument ID results in sql injection. The attack may be launched remotely. The exploit has been made public and could be used.
Published: 2026-03-31
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Apply Patch
AI Analysis

Impact

A flaw exists in the delete_user.php script of the code‑projects Student Membership System version 1.0. An attacker can manipulate the ID parameter to inject arbitrary SQL commands, enabling unauthorized data extraction, modification, or removal of user records. The weakness arises from insufficient input validation, a classic SQL injection scenario matched to CWE‑74 and CWE‑89.

Affected Systems

The vulnerability affects the Student Membership System 1.0, specifically the delete_user.php component accessed through the web interface. Any installation of this application that hosts that script is at risk.

Risk and Exploitability

The base CVSS score of 5.3 indicates moderate severity. The flaw can be exploited remotely by sending a crafted ID value to the delete_user.php endpoint. A publicly available exploit demonstrates that the attack is achievable without additional credentials. No exploitation probability metric is provided, and the vulnerability has not been reported as a widely deployed exploit in known catalogs.

Generated by OpenCVE AI on March 31, 2026 at 11:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply an updated version of the Student Membership System that incorporates input validation or prepared statements for the delete_user.php function.
  • If an official update is not available, modify delete_user.php to enforce strict integer validation on the ID parameter or rewrite the query to use parameterized statements.
  • Restrict access to delete_user.php so that only authenticated administrators can invoke it, enforcing appropriate role checks.
  • Enable comprehensive logging for all delete operations and monitor logs for anomalous activity.
  • Conduct periodic security assessments, including code reviews and automated web vulnerability scans.

Generated by OpenCVE AI on March 31, 2026 at 11:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 31 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in code-projects Student Membership System 1.0. The affected element is an unknown function of the file /delete_user.php. The manipulation of the argument ID results in sql injection. The attack may be launched remotely. The exploit has been made public and could be used.
Title code-projects Student Membership System delete_user.php sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-31T13:32:09.879Z

Reserved: 2026-03-30T22:24:06.315Z

Link: CVE-2026-5197

cve-icon Vulnrichment

Updated: 2026-03-31T13:32:04.546Z

cve-icon NVD

Status : Received

Published: 2026-03-31T10:16:19.907

Modified: 2026-03-31T10:16:19.907

Link: CVE-2026-5197

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T19:55:53Z

Weaknesses