CVE-2026-7545

Received Received - Intake

SQL Injection in Advanced School Management System

Publication date: 2026-05-01

Last updated on: 2026-05-01

Assigner: VulDB

Description

A weakness has been identified in SourceCodester Advanced School Management System 1.0. The affected element is an unknown function of the file commonController.php of the component checkEmail Endpoint. This manipulation causes sql injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-05-01

Last Modified

2026-05-01

Generated

2026-06-16

AI Q&A

2026-05-01

EPSS Evaluated

2026-06-15

NVD

CVE-2026-7545

EUVD

EUVD-2026-26471

Affected Vendors & Products

Vendor	Product	Version / Range
sourcecodester	advanced_school_management_system	1.0

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-74	The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE-74

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Attack-Flow Graph

Mitigation Strategies

Immediate mitigation steps include implementing proper input validation and sanitization on the `val` parameter to prevent malicious SQL code injection.

Minimize database permissions to limit the impact of a potential exploit.

Conduct regular security audits to identify and address similar vulnerabilities.

Executive Summary

This vulnerability is a SQL injection issue found in the SourceCodester Advanced School Management System version 1.0. It exists in the file commonController.php, specifically in the checkEmail endpoint where the 'val' parameter is used directly in SQL queries without proper validation or sanitization.

Because of this flaw, attackers can inject malicious SQL code remotely without needing to log in or have any authorization. This can lead to unauthorized access to the database, manipulation of data, leakage of sensitive information, or even full system compromise.

Impact Analysis

The impact of this vulnerability includes unauthorized database access, which can allow attackers to view, modify, or delete sensitive data.

Attackers could manipulate data or extract confidential information, potentially leading to data breaches.

In severe cases, the vulnerability could be exploited to gain full control over the affected system.

Detection Guidance

This SQL injection vulnerability exists in the `commonController.php` file at line 85, specifically involving the `val` parameter which is used directly in SQL queries without proper validation or sanitization.

Detection can be performed by testing the `checkEmail` endpoint for SQL injection using error-based or time-based blind SQL injection payloads.

Use curl or similar tools to send crafted requests to the vulnerable endpoint, for example: curl "http://targetsite/path/commonController.php?val=' OR '1'='1"
Use SQL injection testing tools such as sqlmap targeting the `val` parameter at the `checkEmail` endpoint to automate detection.

Compliance Impact

The SQL injection vulnerability in SourceCodester Advanced School Management System 1.0 allows attackers to gain unauthorized database access, manipulate data, and potentially leak sensitive information. Such unauthorized access and data leakage can lead to non-compliance with data protection regulations like GDPR and HIPAA, which mandate the protection of personal and sensitive data against unauthorized access and breaches.

Failure to secure the system against this vulnerability could result in exposure of personal or health-related data, violating confidentiality and integrity requirements stipulated by these standards.

Hi! I’m here to help you understand CVE-2026-7545. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-7545

SQL Injection in Advanced School Management System

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart