CVE-2026-5198

Received Received - Intake

SQL Injection in Student Membership System Admin Login Allows Remote Exploit

Publication date: 2026-03-31

Last updated on: 2026-04-29

Assigner: VulDB

Description

A vulnerability was determined in code-projects Student Membership System 1.0. The impacted element is an unknown function of the file /admin/index.php of the component Admin Login. This manipulation of the argument username/password causes sql injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-03-31

Last Modified

2026-04-29

Generated

2026-06-16

AI Q&A

2026-03-31

EPSS Evaluated

2026-06-15

NVD

CVE-2026-5198

EUVD

EUVD-2026-17399

Affected Vendors & Products

Vendor	Product	Version / Range
code-projects	student_membership_system	1.0

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-74	The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE-74

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Attack-Flow Graph

Compliance Impact

This SQL Injection vulnerability in the Student Membership System allows attackers to bypass authentication and gain full administrative access, potentially leading to unauthorized access, modification, or deletion of sensitive data.

Such unauthorized access and potential data compromise can violate common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information against unauthorized access and breaches.

Failure to secure authentication mechanisms and protect data integrity may result in non-compliance with these regulations, leading to legal and financial consequences.

Executive Summary

CVE-2026-5198 is a high-severity SQL Injection vulnerability found in the Student Membership System version 1.0, specifically in the administrator login function located in the file /admin/index.php.

The vulnerability occurs because the system constructs an SQL query by directly concatenating the username and password inputs without proper sanitization or parameterization.

This allows an attacker to inject malicious SQL code, such as a universal password payload (' OR '1'='1), into the username field to bypass authentication and gain unauthorized access to the administrator dashboard.

Impact Analysis

Exploitation of this vulnerability allows an attacker to bypass authentication and gain full administrative privileges on the Student Membership System.

Delete or modify all data within the system.
Create new administrator accounts.
Perform other malicious actions with full control over the system.

Detection Guidance

This vulnerability can be detected by attempting to exploit the SQL injection in the administrator login function by injecting a payload into the username field to bypass authentication.

A common proof-of-concept payload to test for this vulnerability is to use the username value: admin' OR '1'='1 and any password value.

You can use tools like curl or Burp Suite to send a POST request to the /admin/index.php login endpoint with the following parameters:

username=admin' OR '1'='1
password=anything

Example curl command to test the vulnerability:

curl -X POST -d "username=admin' OR '1'='1&password=anything&login=Login" http://targetsite/admin/index.php

If the response indicates successful login without valid credentials, the system is vulnerable.

Mitigation Strategies

Immediate mitigation steps include modifying the authentication code to use prepared statements (parameterized queries) instead of directly concatenating user inputs into SQL queries.

Additionally, implement secure password handling by using functions such as password_hash() and password_verify() to store and verify passwords securely, rather than storing plaintext passwords.

Avoid using direct string concatenation for SQL queries to prevent SQL injection attacks.

If immediate code changes are not possible, consider restricting access to the /admin/index.php page by IP whitelisting or other access control mechanisms as a temporary measure.

Hi! I’m here to help you understand CVE-2026-5198. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-5198

SQL Injection in Student Membership System Admin Login Allows Remote Exploit

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart