CVE-2026-5198 - Vulnerability Details

Description

A vulnerability was determined in code-projects Student Membership System 1.0. The impacted element is an unknown function of the file /admin/index.php of the component Admin Login. This manipulation of the argument username/password causes sql injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.

Published: 2026-03-31

Score: 6.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Student Membership System contains a flaw in its admin login routine that permits an attacker to inject arbitrary SQL statements through unsanitized username or password input. An attacker may craft a login payload that is executed by the underlying database, potentially allowing read, modify or delete operations on sensitive data. This can lead to data compromise or unapproved manipulation of system content, impacting the confidentiality and integrity of the application’s data store.

Affected Systems

The vulnerable component is the admin login page located at /admin/index.php in code-projects Student Membership System version 1.0. The flaw resides in an unidentified function within that file that processes the login credentials.

Risk and Exploitability

The evaluated CVSS score of 6.9 indicates a medium severity level. Exploitation is achievable over the internet through normal web request traffic, and the vulnerability has already been publicly disclosed. No EPSS score is available, and the issue is not listed in the CISA KEV catalog.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

code-projects

Student Membership System

affected

Version	Status	Constraints
`1.0`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the official patch or upgrade to a newer, non‑vulnerable release of Student Membership System.
Refactor the login handling to use prepared statements or other parameterized query techniques, ensuring that user input is never concatenated directly into SQL.
Implement input validation or sanitization logic for the username and password fields to reject or escape characters that could alter query structure.
Enforce reasonable limits on the length of the username and password inputs to reduce the likelihood of successful injection attempts.
Deploy or configure a Web Application Firewall to detect and block SQL injection patterns, and monitor the application for suspicious login activity.

Generated by OpenCVE AI on March 31, 2026 at 12:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.0003.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://code-projects.org/
https://github.com/maidangdang1/CVE/issues/4
https://vuldb.com/submit/780403
https://vuldb.com/vuln/354296
https://vuldb.com/vuln/354296/cti

History

Tue, 31 Mar 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 31 Mar 2026 11:30:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was determined in code-projects Student Membership System 1.0. The impacted element is an unknown function of the file /admin/index.php of the component Admin Login. This manipulation of the argument username/password causes sql injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.
Title		code-projects Student Membership System Admin Login index.php sql injection
Weaknesses		CWE-74 CWE-89
References		https://code-projects.org/ https://github.com/maidangdang1/CVE/issues/4 https://vuldb.com/submit/780403 https://vuldb.com/vuln/354296 https://vuldb.com/vuln/354296/cti
Metrics		cvssV2_0 `{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-03-31T11:00:13.682Z

Updated: 2026-03-31T18:03:55.741Z

Reserved: 2026-03-30T22:24:10.906Z

Link: CVE-2026-5198

Vulnrichment

Updated: 2026-03-31T14:58:26.756Z

NVD

Status : Received

Published: 2026-03-31T12:16:31.530

Modified: 2026-03-31T12:16:31.530

Link: CVE-2026-5198

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-31T19:55:49Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object