CVE-2026-10226
Deferred Deferred - Pending Action
SQL Injection in Student Management System by PHP

Publication date: 2026-06-01

Last updated on: 2026-06-01

Assigner: VulDB

Description
A flaw has been found in raisulislamg4 student_management_system_by_php up to 310d950e09013d5133c6b9210aff9444382d16d1. Impacted is an unknown function of the file delete.php. Executing a manipulation of the argument user_id/course_id/teacher_id/student_id/application_id can lead to sql injection. The attack may be launched remotely. The exploit has been published and may be used. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-01
Generated
2026-06-21
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2026-10226
EUVD
EUVD-2026-33559
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
raisulislamg4 student_management_system_by_php to 310d950e09013d5133c6b9210aff9444382d16d1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability CVE-2026-10226 exists in the delete.php file of the raisulislamg4 student_management_system_by_php. It allows an attacker to delete arbitrary records such as users, courses, teachers, students, or applications without any authentication or authorization.

This happens because the delete.php script does not check if the requester is logged in or has permission to delete records. Additionally, the script constructs SQL queries by directly concatenating unsanitized GET parameters, which leads to SQL injection.

An attacker can exploit this by crafting a URL with parameters like user_id, course_id, teacher_id, student_id, or application_id to delete records remotely and without authentication.

Impact Analysis

This vulnerability can have serious impacts including unauthorized deletion of important records such as user accounts, courses, teachers, students, or applications.

Because the vulnerability allows remote exploitation without authentication, an attacker can manipulate or destroy data, potentially causing data loss, disruption of service, and compromising the integrity of the system.

The SQL injection aspect also increases the risk of further database compromise or data leakage.

Detection Guidance

This vulnerability can be detected by testing the delete.php endpoint for unauthorized record deletion and SQL injection via URL parameters such as user_id, course_id, teacher_id, student_id, or application_id.

  • Send HTTP requests to the delete.php script with various parameters to check if records can be deleted without authentication, for example: curl -i "http://<target>/delete.php?user_id=1"
  • Attempt SQL injection payloads in the parameters to see if the backend database responds with errors or unexpected behavior, e.g., curl -i "http://<target>/delete.php?user_id=1' OR '1'='1"
  • Monitor network traffic for suspicious requests targeting delete.php with parameters that could indicate exploitation attempts.
Mitigation Strategies

Immediate mitigation steps include restricting access to the delete.php endpoint to authenticated and authorized users only.

Implement proper input validation and parameter sanitization to prevent SQL injection attacks.

If possible, apply web application firewall (WAF) rules to block malicious requests targeting the vulnerable parameters.

Monitor logs for unauthorized deletion attempts and unusual activity related to delete.php.

Compliance Impact

The vulnerability allows unauthenticated arbitrary deletion of records and SQL injection in the student management system, which can lead to unauthorized access, modification, or deletion of sensitive data.

Such unauthorized data manipulation and potential data breaches can negatively impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls over data access, integrity, and confidentiality.

Specifically, the lack of authentication and authorization combined with SQL injection risks could lead to exposure or loss of personal data, violating principles of data security and privacy mandated by these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10226. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart