CVE-2026-10111
Deferred Deferred - Pending Action
SQL Injection in STUDENT-MANAGEMENT-SYSTEM

Publication date: 2026-05-30

Last updated on: 2026-06-01

Assigner: VulDB

Description
A flaw has been found in sambitraj STUDENT-MANAGEMENT-SYSTEM 1.0. This impacts an unknown function of the component Login Page. Executing a manipulation of the argument email can lead to sql injection. The attack may be performed from remote. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-30
Last Modified
2026-06-01
Generated
2026-06-19
AI Q&A
2026-05-30
EPSS Evaluated
2026-06-18
NVD
CVE-2026-10111
EUVD
EUVD-2026-33450
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sambitraj student-management-system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-10111 is a high-severity Time-Based Blind SQL Injection vulnerability affecting the login endpoints of the sambitraj STUDENT-MANAGEMENT-SYSTEM 1.0. The flaw exists because the system directly embeds user-supplied email parameters into SQL queries without any sanitization, escaping, or parameterization.

This vulnerability impacts three PHP files: admin_login.php, student_login.php, and teacher_login.php. Although the system does not display query results, the database executes the injected SQL statements, allowing attackers to exploit time delays (such as using the SLEEP() function) to infer sensitive data by measuring response times.

An attacker can send crafted login requests with malicious payloads in the email parameter, observe the response timing differences, and confirm the presence of the SQL injection vulnerability remotely.

Impact Analysis

This vulnerability can allow an attacker to extract sensitive information from the database by exploiting the blind SQL injection flaw in the login pages.

Because the injection is time-based blind, attackers can infer data such as user credentials, personal information, or other confidential data stored in the database without direct access to query results.

Successful exploitation could lead to unauthorized access, data leakage, and compromise of the integrity and confidentiality of the system's data.

Detection Guidance

This vulnerability can be detected by sending crafted login requests to the affected login endpoints (admin_login.php, student_login.php, teacher_login.php) with malicious email parameters designed to trigger time delays in the database response.

By measuring the response time differences between normal and malicious requests, you can confirm the presence of a time-based blind SQL injection.

Example commands using curl to test the injection might include sending payloads that use SQL SLEEP() functions in the email parameter and comparing response times.

  • curl -X POST -d "[email protected]&password=any" http://target/admin_login.php
  • curl -X POST -d "[email protected]' OR IF(SLEEP(5),1,0)-- &password=any" http://target/admin_login.php

If the second request takes significantly longer to respond, it indicates the vulnerability is present.

Mitigation Strategies

Immediate mitigation steps include sanitizing and validating all user inputs, especially the email parameter on login pages.

Use parameterized queries or prepared statements to prevent SQL injection.

If possible, restrict access to the login endpoints or implement web application firewall (WAF) rules to detect and block SQL injection attempts.

Monitor logs for suspicious login attempts with unusual payloads.

Since the project has not responded yet, consider applying patches or updates once available or review and fix the source code to properly handle input sanitization.

Compliance Impact

The vulnerability is a time-based blind SQL injection in the login endpoints of the Student Management System, which allows attackers to infer sensitive data from the database by exploiting response timing delays.

Such a vulnerability can lead to unauthorized access or exposure of sensitive personal data stored in the system, which may include student, teacher, or administrative information.

Exposure or compromise of personal data due to this vulnerability could result in non-compliance with data protection regulations such as GDPR or HIPAA, which require adequate security measures to protect personal and sensitive information.

Therefore, this vulnerability poses a risk to compliance with these standards by potentially enabling data breaches or unauthorized data access.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10111. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart