CVE-2026-5665
SQL Injection in code-projects Online FIR System Login Component
Publication date: 2026-04-06
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| code-projects | online_fir_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-5665 is a high-severity SQL Injection vulnerability found in the Online FIR System version 1.0, a PHP-based application. The flaw exists in the login processing script located at /Online_FIR_System/Login/checklogin.php, specifically in the handling of the email and password parameters.
The vulnerability occurs because the application directly inserts user-supplied input from the email POST parameter into an SQL query without proper validation, sanitization, or use of prepared statements. This allows attackers to inject malicious SQL code that can alter the query logic.
For example, the vulnerable code concatenates the email and password inputs directly into the SQL query: SELECT * FROM users WHERE email='$email' AND password='$password'. This enables attackers to manipulate the query to bypass authentication or execute arbitrary SQL commands.
How can this vulnerability impact me? :
Exploiting this SQL Injection vulnerability can have severe impacts including bypassing authentication mechanisms, allowing attackers to access user accounts without valid credentials.
Attackers can extract sensitive data from the database, modify or delete records, escalate privileges, and potentially gain full control over the application's database.
Such control can lead to data breaches, loss of data integrity, and disruption of service.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This SQL Injection vulnerability can be detected by testing the vulnerable parameter 'email' in the POST request to the endpoint /Online_FIR_System/Login/checklogin.php.
A common detection method is to perform a time-based blind SQL injection test by injecting a payload that causes a delay in the server response.
- Send a POST request with the 'email' parameter set to: '+(select*from(select(sleep(20)))a)+' and observe if the server response is delayed by approximately 20 seconds.
- Example using curl command to test the vulnerability:
- curl -X POST -d "email='+(select*from(select(sleep(20)))a)+'&password=test" https://target/Online_FIR_System/Login/checklogin.php -v --max-time 30
If the response is significantly delayed, it indicates that the SQL injection is successful and the vulnerability exists.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Implement prepared statements with parameterized queries to prevent direct concatenation of user inputs into SQL queries.
- Validate user inputs rigorously, for example, enforce proper email format validation on the 'email' parameter.
- Apply the principle of least privilege to the database accounts used by the application to limit potential damage.
- Conduct regular security testing such as penetration tests and code audits to identify and fix similar vulnerabilities.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The SQL Injection vulnerability in the Online FIR System 1.0 allows attackers to bypass authentication, extract sensitive data, modify or delete database records, and potentially gain full control over the application's database.
Such unauthorized access and data manipulation can lead to breaches of confidentiality, integrity, and availability of personal and sensitive information.
This can result in non-compliance with common standards and regulations like GDPR and HIPAA, which mandate protection of personal data and require organizations to implement adequate security controls to prevent unauthorized access and data breaches.