CVE-2026-2158
SQL Injection in Student Web Portal /check_user.php Allows Remote Attack
Publication date: 2026-02-08
Last updated on: 2026-02-11
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| carmelo | student_web_portal | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-2158 is a SQL Injection vulnerability found in version 1.0 of the code-projects Student Web Portal, specifically in the file /check_user.php. The vulnerability occurs because the application directly concatenates user input from the 'username' HTTP GET parameter into an SQL query without proper sanitization or parameterization. This allows an attacker to inject malicious SQL code remotely without authentication, manipulating the database query logic."}, {'type': 'paragraph', 'content': 'The flaw corresponds to CWE-89, where special characters in user input are not neutralized, enabling modification of the intended SQL command.'}] [2, 3]
How can this vulnerability impact me? :
This vulnerability can have several impacts including:
- Bypassing or manipulating username existence checks, causing inconsistent responses.
- Performing blind SQL Injection attacks (boolean or time-based) to infer database contents even if error messages are suppressed.
- Disclosure of sensitive data if the database user has broad read privileges.
Overall, it impacts the confidentiality, integrity, and availability of the system and can be exploited remotely without authentication or user interaction.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the /check_user.php endpoint with manipulated inputs in the username parameter to check for SQL injection behavior.'}, {'type': 'paragraph', 'content': 'One method to identify vulnerable targets is using Google dorking with queries such as "inurl:check_user.php" to find instances of the affected page.'}, {'type': 'paragraph', 'content': 'To test for SQL injection on your system, you can use commands or tools that send crafted HTTP GET requests to the vulnerable parameter and observe the responses for anomalies.'}, {'type': 'list_item', 'content': 'Use curl to send a test request with a typical SQL injection payload, for example: curl "http://targetsite.com/check_user.php?username=\' OR \'1\'=\'1"'}, {'type': 'list_item', 'content': 'Use sqlmap, an automated SQL injection tool, to test the URL: sqlmap -u "http://targetsite.com/check_user.php?username=test" --batch'}] [3, 2]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The immediate recommended mitigation is to modify the vulnerable code to use prepared statements with parameterized queries instead of directly concatenating user input into SQL queries.'}, {'type': 'paragraph', 'content': "Specifically, replace the vulnerable code in /check_user.php that uses $_GET['username'] directly in the SQL query with a safe prepared statement as shown in the example below:"}, {'type': 'list_item', 'content': '<?php error_reporting(0); include \'config.php\'; if (isset($_GET[\'username\'])) { $username = $_GET[\'username\']; $stmt = mysqli_prepare($connection, "SELECT 1 FROM user WHERE user_name = ? LIMIT 1"); if ($stmt) { mysqli_stmt_bind_param($stmt, "s", $username); mysqli_stmt_execute($stmt); mysqli_stmt_store_result($stmt); if (mysqli_stmt_num_rows($stmt) === 1) { echo "Username already exist."; } else { echo "Username Available"; } mysqli_stmt_close($stmt); } } ?>'}, {'type': 'paragraph', 'content': 'If immediate code changes are not possible, consider restricting access to the vulnerable endpoint or applying web application firewall (WAF) rules to block suspicious SQL injection attempts.'}] [2]