CVE-2026-11531
Received Received - Intake
SQL Injection in imvks786 Student Management System

Publication date: 2026-06-08

Last updated on: 2026-06-08

Assigner: VulDB

Description
A security flaw has been discovered in imvks786 student_management_system up to 9599b560ad3c3b83e75d328b76bedcd489ef1f46. This impacts an unknown function of the file admin/admin_login.php of the component Administrator Login Endpoint. Performing a manipulation of the argument a_usr/a_pwd results in sql injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-08
Last Modified
2026-06-08
Generated
2026-06-09
AI Q&A
2026-06-08
EPSS Evaluated
N/A
NVD
CVE-2026-11531
EUVD
EUVD-2026-35125
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
imvks786 student_management_system to 9599b560ad3c3b83e75d328b76bedcd489ef1f46 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a SQL Injection flaw in the admin login functionality of the imvks786 student_management_system. It occurs in the file admin/admin_login.php where the username (a_usr) and password (a_pwd) inputs are directly used in an SQL query without proper sanitization or parameterization.

An attacker can inject malicious SQL code, such as a boolean-based payload like "admin' OR '1'='1", into the username field. This manipulates the SQL query to always return a valid result, bypassing the password check and granting unauthorized administrative access.

The attack can be performed remotely by submitting the crafted input on the admin login page, leading to a complete authentication bypass.

Compliance Impact

The vulnerability is a SQL injection in the administrator login endpoint that allows an attacker to bypass authentication and gain full administrative access remotely.

Such unauthorized access could lead to exposure, modification, or deletion of sensitive personal data managed by the student management system.

This exposure and potential data breach could violate common data protection standards and regulations such as GDPR and HIPAA, which require protection of personal and sensitive information against unauthorized access.

Therefore, the vulnerability negatively impacts compliance by increasing the risk of data breaches and unauthorized data manipulation.

Impact Analysis

This vulnerability allows an attacker to bypass authentication and gain full administrative access to the student management system without valid credentials.

  • Unauthorized access to sensitive administrative functions.
  • Potential manipulation, deletion, or theft of student records and other critical data.
  • Compromise of the integrity and confidentiality of the system.
  • Remote exploitation without any user interaction or privileges.
Detection Guidance

This vulnerability can be detected by testing the admin login endpoint for SQL injection by manipulating the username (a_usr) and password (a_pwd) parameters.

A common detection method is to attempt to inject a boolean-based payload such as "admin' OR '1'='1" into the username field and observe if the login is bypassed.

You can use tools like curl or sqlmap to test this remotely.

  • Using curl to test the login endpoint: curl -X POST -d "a_usr=admin' OR '1'='1& a_pwd=anypassword" http://target/admin/admin_login.php
  • Using sqlmap to test for SQL injection: sqlmap -u "http://target/admin/admin_login.php" --data="a_usr=admin&a_pwd=pass" --risk=3 --level=5 --batch
Mitigation Strategies

Immediate mitigation steps include implementing proper input validation and using parameterized queries or prepared statements to prevent SQL injection.

Restricting or disabling the vulnerable admin login endpoint until a patch is available can reduce exposure.

Monitoring access logs for suspicious login attempts with SQL injection payloads is also recommended.

Since the project has not yet responded with a fix, consider applying web application firewall (WAF) rules to block common SQL injection patterns targeting the admin login.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11531. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart