CVE-2026-5196
SQL Injection in Student Membership System /delete_member.php
Publication date: 2026-03-31
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| code-projects | student_membership_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-5196 is a SQL Injection vulnerability found in the Student Membership System version 1.0, specifically in the file delete_member.php.
The vulnerability occurs because the member deletion function directly uses the 'id' parameter from user input ($_POST['id']) in an SQL DELETE statement without any sanitization or use of prepared statements.
This allows an attacker to manipulate the 'id' parameter to execute arbitrary SQL commands, such as deleting all member records or even dropping entire database tables.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized deletion of member records or entire database tables.
- An attacker can delete all member records by injecting SQL code like 'id=1' OR '1'='1'.
- More destructive SQL commands such as DROP TABLE can be executed, leading to permanent data loss.
Overall, it threatens data integrity and availability, potentially causing significant disruption to the system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the /delete_member.php endpoint for SQL injection by manipulating the 'id' parameter in POST requests.
A simple test command using curl to detect the vulnerability could be:
- curl -X POST -d "id=1' OR '1'='1" http://targetsite/delete_member.php
If the response indicates that multiple or all member records are deleted or affected, it confirms the presence of the SQL injection vulnerability.
Additionally, monitoring SQL queries or database logs for suspicious input patterns involving the 'id' parameter can help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Implement prepared statements using PDO or MySQLi to safely handle the 'id' parameter and prevent SQL injection.
- Apply strict type validation and escaping on all user inputs, especially the 'id' parameter, to ensure only valid data is processed.
- Restrict access to the /delete_member.php endpoint to authorized users only, minimizing exposure.
- Review and monitor database logs for any suspicious activity related to member deletion.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The SQL injection vulnerability in the Student Membership System 1.0 allows attackers to manipulate database queries, potentially leading to unauthorized data deletion or alteration. Such unauthorized access and modification of personal data can result in non-compliance with data protection regulations like GDPR and HIPAA, which require the protection of data integrity and confidentiality.
Specifically, the ability to delete or corrupt member records could lead to loss of personal data or compromise of data integrity, violating principles of data security and availability mandated by these standards.
Remediation steps such as using prepared statements and input validation are necessary to mitigate these risks and help maintain compliance.