CVE-2026-5543

Received Received - Intake

SQL Injection in PHPGurukul User Management Allows Remote Exploit

Publication date: 2026-04-05

Last updated on: 2026-04-29

Assigner: VulDB

Description

A vulnerability was identified in PHPGurukul User Registration & Login and User Management System 3.3. The affected element is an unknown function of the file /admin/yesterday-reg-users.php. The manipulation of the argument ID leads to sql injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-04-05

Last Modified

2026-04-29

Generated

2026-06-16

AI Q&A

2026-04-05

EPSS Evaluated

2026-06-15

NVD

CVE-2026-5543

EUVD

EUVD-2026-19036

Affected Vendors & Products

Vendor	Product	Version / Range
phpgurukul	user_registration_and_login_and_user_management_system	3.3

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-74	The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE-74

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Attack-Flow Graph

Executive Summary

CVE-2026-5543 is a SQL injection vulnerability found in version 3.3 of the PHPGurukul User Registration & Login and User Management System. The flaw exists in the file /admin/yesterday-reg-users.php, specifically involving the 'id' parameter in HTTP GET requests. This parameter is used directly in SQL queries without proper sanitization or validation, allowing attackers to inject malicious SQL code.

Attackers can exploit this vulnerability remotely by manipulating the 'id' argument to execute unauthorized SQL commands. A proof of concept involves a time-based blind SQL injection payload that delays the server response to confirm the injection.

The root cause is insufficient input validation and the direct incorporation of user input into SQL statements without proper safeguards.

Impact Analysis

This SQL injection vulnerability can have serious impacts including unauthorized access to the database, leakage of sensitive data, tampering or modification of data, full system compromise, and potential disruption of services.

Unauthorized database access
Data leakage
Data tampering
Full system compromise
Potential service disruption

Detection Guidance

This vulnerability can be detected by testing the "id" parameter in HTTP GET requests to the /admin/yesterday-reg-users.php file for SQL injection flaws.

A common method is to use time-based blind SQL injection payloads such as `id=1' RLIKE SLEEP(5)--` to observe delayed responses indicating injection.

Automated tools like sqlmap can be used to confirm the presence of the vulnerability by targeting the affected parameter.

Mitigation Strategies

Immediate mitigation steps include:

Use prepared statements with parameter binding to separate SQL code from user input.
Implement rigorous input validation and filtering to ensure inputs conform to expected formats.
Restrict database user permissions to the minimum necessary, avoiding use of high-privilege accounts for routine operations.

These steps are critical to protect system security and maintain data integrity.

Compliance Impact

The SQL injection vulnerability in PHPGurukul User Registration & Login and User Management System 3.3 allows unauthorized database access, data leakage, and data tampering. Such security weaknesses can lead to exposure or alteration of sensitive personal or health information, which directly impacts compliance with data protection regulations like GDPR and HIPAA.

Failure to protect data integrity and confidentiality as required by these standards can result in legal and financial penalties, as well as loss of trust. Therefore, this vulnerability poses a significant risk to meeting the security requirements mandated by common standards and regulations.

Hi! I’m here to help you understand CVE-2026-5543. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-5543

SQL Injection in PHPGurukul User Management Allows Remote Exploit

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart