CVE-2026-10226
Description
SQL injection in delete.php of student_management_system_by_php allows unauthenticated remote attackers to delete arbitrary records.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in delete.php of student_management_system_by_php allows unauthenticated remote attackers to delete arbitrary records.
Vulnerability
The delete.php file in raisulislamg4's student_management_system_by_php (up to commit 310d950e09013d5133c6b9210aff9444382d16d1) contains a SQL injection vulnerability. The script accepts user_id, course_id, teacher_id, student_id, and application_id parameters via GET requests and directly concatenates them into SQL DELETE queries without sanitization or parameterization [1][2]. The product operates on a rolling release, so no specific version numbers are available.
Exploitation
An attacker can exploit this vulnerability remotely without any authentication. By sending a crafted GET request to delete.php with a malicious value in any of the listed parameters, the attacker can inject arbitrary SQL commands. The issue report provides a proof-of-concept using user_id=1 to delete an administrator account [2]. No user interaction or special privileges are required.
Impact
Successful exploitation allows an unauthenticated attacker to delete arbitrary records from the database, including users, courses, teachers, students, and applications. This can lead to data loss, denial of service, and potential privilege escalation if administrative accounts are removed. The SQL injection may also be leveraged to extract or modify other data depending on the database configuration.
Mitigation
As of the publication date, no fix has been released. The project maintainer was notified via an issue report but has not responded [2]. Users should consider disabling or removing delete.php until a patch is available, or implement proper authentication and input validation. The product is on a rolling release, so updates may appear at any time.
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing authentication and input sanitization in delete.php allows unauthenticated SQL injection and arbitrary record deletion."
Attack vector
An unauthenticated attacker sends a crafted GET request to `delete.php` with any of the supported record ID parameters (e.g., `user_id=1`). Because the script performs no authentication or authorization checks, the attacker can delete arbitrary records from the database. The SQL injection vector further allows an attacker to manipulate the query beyond simple record deletion [ref_id=1].
Affected code
The vulnerability resides in `delete.php` (lines 1–63). The script accepts `user_id`, `course_id`, `teacher_id`, `student_id`, and `application_id` parameters via `$_GET` and directly concatenates them into `DELETE` SQL queries without sanitization or authentication checks [ref_id=1].
What the fix does
No patch has been published. The advisory recommends adding authentication and authorization checks before any deletion logic, and using parameterized queries (prepared statements) to prevent SQL injection. Until a fix is applied, the endpoint remains fully exposed to unauthenticated attackers [ref_id=1].
Preconditions
- authNo authentication or session is required; the attacker can be completely unauthenticated.
- inputThe attacker must know or guess a valid record ID for the target entity (user, course, teacher, student, or application).
- networkThe attacker must be able to send HTTP GET requests to the vulnerable delete.php endpoint.
Reproduction
Send a GET request to `http://127.0.0.1:3000/delete.php?user_id=1` (or any other entity parameter) without any session cookie. The server responds with a 302 redirect to `user_list.php`, confirming the deletion [ref_id=1].
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
0No linked articles in our index yet.