Description
A security vulnerability has been detected in yashpokharna2555 StudentManagementSystem cb2f558ddf8d19396de0f92abf2d224d46a0a203. This affects the function confirm_logged_in of the file student_trans.php. Such manipulation of the argument FIRST_NAME/Last_Name/EMAIL leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-05-25
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The StudentManagementSystem’s confirm_logged_in function in student_trans.php contains a SQL injection flaw because user input from the FIRST_NAME, Last_Name, and EMAIL parameters is inserted directly into SQL statements without proper sanitization. The vulnerability is confirmed to be exploitable by sending crafted input virtually from any location having network access to the web service. It is inferred from the nature of SQL injection that a successful exploit could allow an attacker to read, modify, or delete data stored in the database, leading to confidentiality, integrity, or availability problems.

Affected Systems

This weakness affects the StudentManagementSystem project maintained by yashpokharna2555. The project follows a rolling‑release model and does not publish discrete version numbers, so the flaw may be present in all current releases until the developer releases a fix. No patch or updated version is currently available, and the maintainer has not responded to the reported issue.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate to high severity. EPSS is not available and the vulnerability is not listed in CISA’s KEV catalog, suggesting that known exploitation is not documented as of now. Attackers can trigger the flaw remotely through the normal web interface, exploiting the absence of input validation and the use of dynamic SQL in confirm_logged_in. This allows an attacker to manipulate database queries, potentially exposing or altering sensitive data.

Generated by OpenCVE AI on May 25, 2026 at 17:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upload and install a future StudentManagementSystem release that contains a fix for the injection flaw.
  • Alter the confirm_logged_in implementation to use prepared statements or parameterized queries so that user-supplied data is never concatenated into SQL strings.
  • Add strict validation rules for the FIRST_NAME, Last_Name, and EMAIL inputs, rejecting or escaping characters that could break out of the intended query context.
  • Deploy a web application firewall or intrusion detection system tuned to detect common SQL injection payload patterns and block malicious requests.
  • Re‑evaluate and restrict the database account used by the application to only the permissions necessary for its normal operation.

Generated by OpenCVE AI on May 25, 2026 at 17:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 25 May 2026 15:45:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in yashpokharna2555 StudentManagementSystem cb2f558ddf8d19396de0f92abf2d224d46a0a203. This affects the function confirm_logged_in of the file student_trans.php. Such manipulation of the argument FIRST_NAME/Last_Name/EMAIL leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet.
Title yashpokharna2555 StudentManagementSystem student_trans.php confirm_logged_in sql injection
First Time appeared Yashpokharna2555
Yashpokharna2555 studentmanagementsystem
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:yashpokharna2555:studentmanagementsystem:*:*:*:*:*:*:*:*
Vendors & Products Yashpokharna2555
Yashpokharna2555 studentmanagementsystem
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Yashpokharna2555 Studentmanagementsystem
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-25T15:30:11.434Z

Reserved: 2026-05-24T09:06:03.816Z

Link: CVE-2026-9470

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T17:30:06Z

Weaknesses