CVE-2026-6595 - Vulnerability Details

- ProjectsAndPrograms School Management System HTTP GET Parameter buslocation.php sql injection

Description

A vulnerability was identified in ProjectsAndPrograms School Management System up to 6b6fae5426044f89c08d0dd101c7fa71f9042a59. This vulnerability affects unknown code of the file buslocation.php of the component HTTP GET Parameter Handler. The manipulation of the argument bus_id leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-04-20

Score: 6.9 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A SQL injection vulnerability exists in the ProjectsAndPrograms School Management System within the file buslocation.php, where the HTTP GET parameter bus_id is unconstrained and directly incorporated into database queries. Attacking this endpoint allows remote exploitation; the attacker can inject arbitrary SQL statements, potentially reading, modifying, or deleting database records. The flaw is publicly documented and exploitable without special credentials, presenting a threat to the confidentiality, integrity, and availability of the system’s data.

Affected Systems

The affected product is ProjectsAndPrograms School Management System. The vulnerability applies to releases up to commit 6b6fae5426044f89c08d0dd101c7fa71f9042a59. Because the product follows a rolling release model, no specific version numbers are listed, and updated releases are not available at the time of disclosure.

Risk and Exploitability

The CVSS score of 6.9 classifies the flaw as moderate severity, and the lack of an EPSS score indicates no publicly available exploitation frequency data, though the exploit is documented as publicly available. The vulnerability is not listed in KEV, and the roll‑through nature of the product makes patching uncertain. The likely attack vector is a remote HTTP GET request to buslocation.php with a crafted bus_id value; an attacker with network access to the web application could exploit the flaw without authentication. Given these factors, the risk is moderate to high, particularly if sensitive data is stored in the database.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

ProjectsAndPrograms

School Management System

affected

Version	Status	Constraints
`6b6fae5426044f89c08d0dd101c7fa71f9042a59`	affected	—

No data.

Vendor Product Confidence Versions

Projectsandprograms

School Management System

100%

Version	Status	Scheme	Platform
`6b6fae5426044f89c08d0dd101c7fa71f9042a59`	affected	code_commit	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Validate the bus_id parameter to accept only numeric values and reject any non‑numeric input
Refactor the database query to use prepared statements or parameterized queries, eliminating direct string interpolation of user input
Restrict access to buslocation.php to authenticated and authorized users, and monitor web logs for suspicious query activity

Generated by OpenCVE AI on April 20, 2026 at 03:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://tcn60zf28jhk.feishu.cn/wiki/MdHFw78Gmi1zbske8Ozc6XTjnIh?from=from_copylink
https://vuldb.com/submit/791820
https://vuldb.com/vuln/358230
https://vuldb.com/vuln/358230/cti

History

Mon, 20 Apr 2026 03:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Projectsandprograms Projectsandprograms school Management System
Vendors & Products		Projectsandprograms Projectsandprograms school Management System

Mon, 20 Apr 2026 02:45:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was identified in ProjectsAndPrograms School Management System up to 6b6fae5426044f89c08d0dd101c7fa71f9042a59. This vulnerability affects unknown code of the file buslocation.php of the component HTTP GET Parameter Handler. The manipulation of the argument bus_id leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.
Title		ProjectsAndPrograms School Management System HTTP GET Parameter buslocation.php sql injection
Weaknesses		CWE-74 CWE-89
References		https://tcn60zf28jhk.feishu.cn/wiki/MdHFw78Gmi1zbske8Ozc6XTjnIh?from=from_copylink https://vuldb.com/submit/791820 https://vuldb.com/vuln/358230 https://vuldb.com/vuln/358230/cti
Metrics		cvssV2_0 `{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Projectsandprograms School Management System

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-20T02:00:49.226Z

Updated: 2026-04-20T02:00:49.226Z

Reserved: 2026-04-19T10:53:14.875Z

Link: CVE-2026-6595

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-20T03:16:16.777

Modified: 2026-04-20T03:16:16.777

Link: CVE-2026-6595

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-20T03:30:41Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object