VYPR
← All advisories
High severity7.3NVD Advisory· Published May 30, 2026

CVE-2026-10110

CVE-2026-10110

Description

A vulnerability was detected in code-projects Student Details Management System 1.0. This affects an unknown function of the file /index.php. Performing a manipulation of the argument roll results in sql injection. The attack is possible to be carried out remotely. The exploit is now public and may be used.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

SQL injection in Student Details Management System 1.0 allows unauthenticated remote attackers to extract database contents via the roll parameter.

Vulnerability

A SQL injection vulnerability exists in the index.php file of code-projects Student Details Management System 1.0 [1]. The roll parameter passed via POST request is directly concatenated into a raw SQL query without sanitization or prepared statements [2]. The vulnerable code is in lines 51–59 of index.php, where $_POST['roll'] is used in the query SELECT * FROM student WHERE standard = '$Standard' OR rollno='$RollNo' [2]. No authentication is required to reach this code path.

Exploitation

An unauthenticated remote attacker can exploit this by sending a POST request to the /SMS/index.php endpoint with a malicious roll parameter [2]. The attacker first confirms normal behavior with a valid roll number, then triggers a SQL error by entering a single quote (') to confirm the injection point [2]. Using UNION-based SQL injection, the attacker can extract arbitrary data from the database.

Impact

Successful exploitation allows the attacker to dump the entire database, including credential tables, leading to full compromise of the application and its data [2]. The CVSS score is 9.8 (Critical) per the reference, indicating high impact on confidentiality, integrity, and availability [2].

Mitigation

No official fix has been released by the vendor as of the publication date [1]. The application should use parameterized queries (prepared statements) or input validation to prevent SQL injection. Until a patch is available, restricting network access to the application is recommended.

References
  1. Source Code & Projects
  2. GitHub - Xmyronn/CVE-2026-10110-SQLi

AI Insight generated on May 30, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Direct concatenation of unsanitized user input from the `roll` POST parameter into a SQL query allows arbitrary SQL injection."

Attack vector

An unauthenticated remote attacker sends a POST request to `/SMS/index.php` with a malicious `roll` parameter containing SQL metacharacters. Because the parameter is directly interpolated into the query `SELECT * FROM student WHERE standard = '$Standard' OR rollno='$RollNo'`, the attacker can break out of the string context and inject arbitrary SQL. This enables UNION-based data extraction across all databases on the same MySQL instance, including credential tables from other applications [ref_id=1]. No authentication is required.

Affected code

The vulnerability resides in `/SMS/index.php` (lines 51–59) where the `roll` POST parameter is directly concatenated into a raw SQL query without sanitization or parameterization. Both `$Standard` and `$RollNo` are taken from `$_POST` and embedded into the query string with no escaping.

What the fix does

The advisory recommends replacing the raw string concatenation with prepared statements and bound parameters: `$stmt = $conn->prepare(...)` followed by `$stmt->bind_param('ss', $Standard, $RollNo)` [ref_id=1]. This change ensures user input is never interpreted as SQL code, eliminating the injection vector. Additionally, disabling verbose PHP/MySQL error output (`display_errors = Off`) is advised to prevent path disclosure.

Preconditions

  • networkAttacker must be able to send HTTP POST requests to the target server.
  • authNo authentication or prior access is required.
  • inputThe vulnerable search form at /SMS/index.php must be reachable.

Generated on May 30, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.