CVE-2026-9469 - Vulnerability Details

Description

A weakness has been identified in yashpokharna2555 StudentManagementSystem cb2f558ddf8d19396de0f92abf2d224d46a0a203. The impacted element is an unknown function of the file /success.php. This manipulation of the argument User causes sql injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.

Published: 2026-05-25

Score: 6.9 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A vulnerability was discovered in the StudentManagementSystem's success.php file that permits attackers to inject arbitrary SQL statements via the User argument. The flaw arises from unsanitized input acceptance, allowing full control over the SQL query. This leads to a SQL injection that can compromise database confidentiality and integrity, potentially exposing sensitive student records or allowing unauthorized account creation. The weakness is related to CWE-74 and CWE-89.

Affected Systems

The affected product is yashpokharna2555 StudentManagementSystem. No specific version numbers exist because the project deploys a rolling release model, so any current build may contain the vulnerability. The flaw resides in an unknown function within success.php and can be triggered remotely in any publicly accessible deployment.

Risk and Exploitability

The CVSS score of 6.9 indicates medium severity, while EPSS data is not available, making precise exploitation probability unclear. However, because the vulnerability has been publicly demonstrated and can be initiated remotely, the risk is significant. The lack of an official patch or workaround means attackers could exploit this flaw at any time. The vulnerability is not listed in the CISA KEV catalog, but the availability of a public exploit warrants immediate mitigation measures.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

yashpokharna2555

StudentManagementSystem

affected

Version	Status	Constraints
`cb2f558ddf8d19396de0f92abf2d224d46a0a203`	affected	—

No data.

Vendor Product Confidence Versions

Yashpokharna2555

Studentmanagementsystem

95%

Version	Status	Scheme	Platform
`cb2f558ddf8d19396de0f92abf2d224d46a0a203`	affected	code_commit	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to the latest released version of StudentManagementSystem or apply any patch provided by the maintainer
Modify success.php to use parameterized queries or otherwise sanitize and validate the User input, following SQL injection mitigation best practices
Restrict remote access to success.php by enforcing authentication or placing the script behind a firewall that blocks unauthenticated requests and filters user-supplied data

Generated by OpenCVE AI on May 25, 2026 at 16:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/yashpokharna2555/StudentManagementSystem/
https://github.com/yashpokharna2555/StudentManagementSystem/issues/2
https://vuldb.com/submit/813997
https://vuldb.com/vuln/365450
https://vuldb.com/vuln/365450/cti

History

Mon, 25 May 2026 15:45:00 +0000

Type	Values Removed	Values Added
Description		A weakness has been identified in yashpokharna2555 StudentManagementSystem cb2f558ddf8d19396de0f92abf2d224d46a0a203. The impacted element is an unknown function of the file /success.php. This manipulation of the argument User causes sql injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.
Title		yashpokharna2555 StudentManagementSystem success.php sql injection
First Time appeared		Yashpokharna2555 Yashpokharna2555 studentmanagementsystem
Weaknesses		CWE-74 CWE-89
CPEs		cpe:2.3:a:yashpokharna2555:studentmanagementsystem::::::::
Vendors & Products		Yashpokharna2555 Yashpokharna2555 studentmanagementsystem
References		https://github.com/yashpokharna2555/StudentManagementSystem/ https://github.com/yashpokharna2555/StudentManagementSystem/issues/2 https://vuldb.com/submit/813997 https://vuldb.com/vuln/365450 https://vuldb.com/vuln/365450/cti
Metrics		cvssV2_0 `{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Yashpokharna2555 Studentmanagementsystem

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-05-25T15:15:11.098Z

Updated: 2026-05-25T15:15:11.098Z

Reserved: 2026-05-24T09:03:17.992Z

Link: CVE-2026-9469

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-25T18:00:15Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object