CVE-2026-26697
SQL Injection in Simple Student Alumni System Allows Data Access
Publication date: 2026-03-02
Last updated on: 2026-03-03
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| carmelo | simple_student_alumni_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in code-projects Simple Student Alumni System version 1.0 is an SQL Injection issue located in the /TracerStudy/recordteacher_view.php file, specifically in the teacherID parameter.
This means that an attacker can manipulate the SQL query by injecting malicious SQL code through the teacherID parameter, potentially allowing unauthorized access or manipulation of the database.
How can this vulnerability impact me? :
This SQL Injection vulnerability can allow attackers to access, modify, or delete sensitive data stored in the database without authorization.
It may lead to data breaches, loss of data integrity, unauthorized data disclosure, or even complete compromise of the affected system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'The vulnerability is an SQL Injection in the parameter teacherID of the /TracerStudy/recordteacher_view.php page in code-projects Simple Student Alumni System v1.0.'}, {'type': 'paragraph', 'content': 'To detect this vulnerability on your system, you can attempt to inject SQL payloads into the teacherID parameter and observe the response for SQL errors or unexpected behavior.'}, {'type': 'list_item', 'content': 'Use curl or a browser to send requests with SQL injection payloads, for example: curl "http://yourserver/TracerStudy/recordteacher_view.php?teacherID=1\' OR \'1\'=\'1"'}, {'type': 'list_item', 'content': 'Use automated tools like sqlmap to test the parameter: sqlmap -u "http://yourserver/TracerStudy/recordteacher_view.php?teacherID=1" --batch'}, {'type': 'list_item', 'content': 'Monitor web server logs for suspicious input patterns in the teacherID parameter.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include sanitizing and validating all user inputs, especially the teacherID parameter, to prevent SQL injection.
Use prepared statements or parameterized queries in the code to safely handle database queries.
If possible, apply any available patches or updates from the vendor or source code repository.
Restrict database user permissions to limit the impact of a potential injection.
Consider implementing a web application firewall (WAF) to detect and block SQL injection attempts.