CVE-2026-5575
Received Received - Intake
SQL Injection in SourceCodester jkev RMS Login Component

Publication date: 2026-04-05

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was detected in SourceCodester/jkev Record Management System 1.0. Affected by this vulnerability is an unknown functionality of the file index.php of the component Login. The manipulation of the argument Username results in sql injection. The attack may be launched remotely. The exploit is now public and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-05
Last Modified
2026-04-29
Generated
2026-05-07
AI Q&A
2026-04-05
EPSS Evaluated
2026-05-05
NVD
CVE-2026-5575
EUVD
EUVD-2026-19099
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
sourcecodester jkev_record_management_system 1.0
sourcecodester personnel_record_management_system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include:

  • Monitor official channels for patches and apply updates promptly once available.
  • Replace all direct SQL concatenations with prepared statements and parameterized queries using PDO or MySQLi to separate code and data.
  • Implement strict input validation and filtering to prevent malicious input.
  • Enforce the principle of least privilege by using dedicated database accounts with minimal required permissions; avoid using highly privileged accounts like root.
  • Disable PHP error display (set display_errors = Off) in production environments to prevent information leakage.
  • Consider deploying a Web Application Firewall (WAF) and conduct regular secure code audits.

Can you explain this vulnerability to me?

CVE-2026-5575 is a SQL Injection vulnerability found in the SourceCodester/jkev Record Management System 1.0, specifically in the login module (index.php) and other user management components. The vulnerability arises because user inputs, such as Username and Password, are not properly sanitized before being used in SQL queries.

Attackers can exploit this flaw by injecting malicious SQL code into the Username or other input fields, which allows them to bypass authentication, hijack accounts, steal plaintext passwords, and gain unauthorized access to the administrator dashboard.

Once inside, attackers can view, modify, or delete all stored data, leading to severe data disclosure and system compromise.


How can this vulnerability impact me? :

This vulnerability can have serious impacts including unauthorized access to the system by attackers without needing valid credentials.

  • Bypassing authentication to gain administrator-level access.
  • Hijacking arbitrary user accounts and stealing plaintext passwords.
  • Viewing, modifying, or deleting sensitive personnel records and other stored data.
  • Complete system compromise, potentially leading to loss of data integrity, confidentiality, and availability.

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by testing for SQL injection points in the login and user management modules, especially in the index.php and search_user.php files.

One practical approach is to use sqlmap with appropriate request files to verify the presence of SQL injection vulnerabilities.

  • Use boolean-based blind injection payloads on the Username parameter to check for authentication bypass.
  • Use time-based blind injection payloads to confirm SQL injection by observing response delays.
  • Example boolean-based payload for login bypass: UserName=123' RLIKE (SELECT (CASE WHEN (1470=1470) THEN 123 ELSE 0x28 END))-- GrAC Password='OR'1'='1
  • Example time-based payload for login bypass: UserName=123' AND (SELECT 4771 FROM (SELECT(SLEEP(5)))xbDf)-- OLwG Password='OR'1'='1
  • Example boolean-based payload for search injection: search=-5641' OR 7541=7541#
  • Example time-based payload for search injection: search=test' AND (SELECT 8891 FROM (SELECT(SLEEP(5)))FApJ)-- VoZp

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The SQL injection vulnerability in the Personnel Record Management System allows attackers to bypass authentication, gain unauthorized administrator access, and view or modify all stored data. This can lead to severe data disclosure and system compromise.

Such unauthorized access and potential data breaches can result in non-compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data, ensuring confidentiality, integrity, and availability.

Failure to protect against this vulnerability could lead to exposure of personal data, violating data protection requirements and potentially resulting in legal and financial penalties under these regulations.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart