CVE-2026-10111
Description
A flaw has been found in sambitraj STUDENT-MANAGEMENT-SYSTEM 1.0. This impacts an unknown function of the component Login Page. Executing a manipulation of the argument email can lead to sql injection. The attack may be performed from remote. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in sambitraj STUDENT-MANAGEMENT-SYSTEM 1.0 login page via unsanitized email parameter, allowing time-based blind data extraction.
Vulnerability
A SQL injection vulnerability exists in sambitraj STUDENT-MANAGEMENT-SYSTEM version 1.0. The login endpoints (admin_login.php, student_login.php, teacher_login.php) directly embed the user-supplied email parameter into a SQL query without sanitization or parameterization (e.g., $query = "select * from admin where email = '$_POST[email]'"). This makes the application vulnerable to time-based blind SQL injection, as detailed in the issue report [2]. No authentication is required to reach these endpoints.
Exploitation
An attacker can exploit this vulnerability remotely by sending a POST request to any of the login endpoints with a malicious email value containing a SQL time-delay function such as SLEEP(). Because the query result is not reflected in the response, the attacker must use a time-based blind technique: send a payload that causes a database delay, measure the response time, and infer database contents by comparing delays across multiple requests [2]. Steps include crafting payloads like ' OR SLEEP(5)-- - in the email field and observing the response latency.
Impact
Successful exploitation allows an attacker to extract sensitive data from the database, including user credentials and other stored information. Although the vulnerability does not directly allow authentication bypass or data modification, time-based blind SQL injection enables full database enumeration. An attacker could obtain admin credentials and escalate privileges, leading to complete compromise of the application's data confidentiality [2].
Mitigation
No official patch has been released by the vendor; the project maintainer was informed via an issue report but has not responded (as of May 2026). Users must implement a workaround by replacing the vulnerable dynamic SQL queries with prepared statements or parameterized queries. If immediate code changes are not possible, restricting network access to the login pages may reduce exposure. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog at this time.
AI Insight generated on May 30, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: = 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Direct embedding of unsanitized user-supplied email parameter into SQL query strings in login endpoints allows time-based blind SQL injection."
Attack vector
An unauthenticated attacker sends a POST request to any of the three login endpoints (`admin_login.php`, `student_login.php`, or `teacher_login.php`) with a crafted `email` parameter containing a time-based blind SQL injection payload (e.g., using `SLEEP()`). Because the application directly embeds the `$_POST[email]` value into the SQL query without sanitization or parameterization [ref_id=1], the database executes the malicious SQL. The attacker infers success by measuring the response delay compared to a normal request. The attack is remotely exploitable with no authentication required [CVSS:3.1/AV:N/AC:L/PR:N/UI:N].
Affected code
The vulnerable code is in three login files: `admin_login.php` (line 51), `student_login.php` (line 57), and `teacher_login.php` (line 56) [ref_id=1]. Each file constructs a query by directly embedding the user-supplied email parameter: `$query = "select * from admin where email = '$_POST[email]'";` [ref_id=1]. No sanitization, escaping, or parameterization is applied before execution.
What the fix does
No patch has been published by the vendor. The project was informed via an issue report but has not responded [ref_id=1]. The remediation would require replacing the direct string interpolation of `$_POST[email]` in the SQL queries with parameterized prepared statements (e.g., using MySQLi or PDO) across all three login files (`admin_login.php`, `student_login.php`, `teacher_login.php`). Input validation and escaping of the email field should also be applied as a defense-in-depth measure.
Preconditions
- networkAttacker must be able to send HTTP POST requests to the login endpoints of the application.
- inputAttacker must supply a crafted email parameter containing a time-based blind SQL injection payload.
Reproduction
Send a login request to any of the three login endpoints (`admin_login.php`, `student_login.php`, or `teacher_login.php`) with a malicious email value that triggers a time delay (e.g., using `SLEEP()`). Measure the time taken to receive the response and compare it to a normal request to confirm the injection [ref_id=1].
Generated on May 30, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.