CVE-2026-11530
Received Received - Intake
SQL Injection in imvks786 Student Management System

Publication date: 2026-06-08

Last updated on: 2026-06-08

Assigner: VulDB

Description
A vulnerability was identified in imvks786 student_management_system up to 9599b560ad3c3b83e75d328b76bedcd489ef1f46. This affects an unknown function of the file /index.ph of the component Login. Such manipulation of the argument usr/pwd leads to sql injection. The attack can be executed remotely. The exploit is publicly available and might be used. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-08
Last Modified
2026-06-08
Generated
2026-06-09
AI Q&A
2026-06-08
EPSS Evaluated
N/A
NVD
CVE-2026-11530
EUVD
EUVD-2026-35154
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
imvks786 student_management_system to 9599b560ad3c3b83e75d328b76bedcd489ef1f46 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-11530 is a SQL injection vulnerability found in the imvks786 student_management_system, specifically in the Login component's index.php file. This vulnerability arises because user inputs for username and password (usr/pwd) are not properly validated or sanitized before being used in SQL queries. Attackers can manipulate these inputs to alter the SQL query logic, allowing them to bypass authentication or execute arbitrary SQL commands remotely.

The vulnerability affects multiple database interaction points in the application where user-supplied data from GET and POST requests is directly concatenated into SQL statements without parameterization or escaping. This leads to severe security issues such as authentication bypass, unauthorized data deletion, privilege escalation, and data exposure.

Impact Analysis

This vulnerability can have critical impacts including complete authentication bypass for all user roles (department, admin, student), allowing attackers to gain unauthorized access without valid credentials.

  • Attackers can delete or modify records arbitrarily, compromising data integrity.
  • Sensitive data can be extracted from the database through SQL injection techniques such as UNION-based or blind SQL injection.
  • Privilege escalation is possible, enabling attackers to gain higher-level permissions.

Overall, exploitation of this vulnerability can lead to full system compromise, data loss, and unauthorized control over the student management system.

Detection Guidance

This vulnerability can be detected by testing for SQL injection points in the affected application, particularly in the login functionality where the usr and pwd parameters are used.

One common method is to attempt SQL injection payloads in the username or password fields, such as using ' OR '1'='1 to check if authentication can be bypassed.

Network or system detection can also involve monitoring for unusual SQL query patterns or unexpected database errors triggered by malformed inputs.

  • Use curl or similar tools to send crafted HTTP requests to the login endpoint, for example:
  • curl -X POST -d "usr=' OR '1'='1&pwd=anything" http://target/index.php
  • Check web server logs for suspicious input patterns or repeated failed login attempts with SQL syntax.
  • Use automated SQL injection detection tools (e.g., sqlmap) targeting the login page to confirm the vulnerability.
Mitigation Strategies

Immediate mitigation steps include preventing the exploitation of SQL injection by sanitizing and validating all user inputs, especially those used in SQL queries.

Implement prepared statements or parameterized queries instead of directly concatenating user input into SQL commands.

Restrict database user permissions to the minimum necessary to reduce the impact of a potential injection.

Monitor and block suspicious requests that contain SQL injection payloads at the web application firewall (WAF) or intrusion detection system (IDS) level.

If possible, temporarily disable or restrict access to the vulnerable login functionality until a secure patch or update is applied.

Regularly update the application and dependencies once the vendor or project releases a fix.

Compliance Impact

The SQL injection vulnerabilities in the student management system allow attackers to bypass authentication, manipulate data arbitrarily, and exfiltrate sensitive information. Such unauthorized access and data exposure can lead to violations of data protection regulations like GDPR and HIPAA, which mandate strict controls over personal and sensitive data. The ability to access, modify, or delete user data without authorization undermines confidentiality, integrity, and availability requirements essential for compliance with these standards.

Because the system manages student records and user credentials, exploitation of these vulnerabilities could result in unauthorized disclosure of personally identifiable information (PII) or protected health information (PHI), thereby increasing the risk of non-compliance with privacy laws and regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11530. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart