High severity7.3NVD Advisory· Published Jun 1, 2026

CVE-2026-10227

Description

SQL injection in student_management_system_by_php's add_user_check.php allows unauthenticated attackers to create arbitrary admin accounts via the role parameter.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

SQL injection in student_management_system_by_php's add_user_check.php allows unauthenticated attackers to create arbitrary admin accounts via the role parameter.

Vulnerability

The vulnerability exists in the add_user_check.php file of the student_management_system_by_php project (up to commit 310d950e09013d5133c6b9210aff9444382d16d1). The script does not sanitize the role parameter from $_POST['role'] before inserting it into an SQL query. This allows an attacker to inject arbitrary SQL commands. The affected component is the User Creation Handler. The project follows a rolling release, so no specific version numbers are provided.

Exploitation

An unauthenticated attacker can send a POST request to add_user_check.php with a crafted role parameter. The reference [1] demonstrates that by setting role=admin, the attacker can create a new user with administrative privileges. The SQL injection can be exploited to manipulate the query further, but the primary exploit shown is privilege escalation via direct insertion of the admin role. No authentication or prior access is required.

Impact

Successful exploitation allows an attacker to create arbitrary user accounts with any role, including admin. This results in complete privilege escalation, giving the attacker full administrative control over the application. The attacker can then access all features, modify data, and potentially compromise the entire system.

Mitigation

The project maintainer has not responded to the issue report [1] as of the publication date. No official fix or patched version is available. Users should consider disabling or removing the add_user_check.php file if not needed, or implement proper authentication and input validation. The vulnerability is publicly disclosed and may be exploited.

References

Unauthenticated Arbitrary User Creation (Privilege Escalation to Admin) in `add_user_check.php`

AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Patches

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing authentication check and unsanitized SQL insertion of the `role` parameter in `add_user_check.php` allow unauthenticated privilege escalation to admin."

Attack vector

An unauthenticated attacker sends a POST request to `/add_user_check.php` with `role=admin` and arbitrary credentials. The server blindly inserts the attacker-controlled role into the database and returns a 302 redirect, confirming account creation. The attacker then logs in with the newly created admin credentials and gains full administrative access [ref_id=1]. This is a combination of broken access control (no authentication required) and SQL injection (unsanitized `role` parameter).

Affected code

The vulnerability resides in `add_user_check.php` (lines 1–37). The script calls `session_start()` but performs no authentication or authorization check before inserting a new user record. The `$_POST['role']` value is directly interpolated into an SQL `INSERT` statement without sanitization or validation [ref_id=1].

What the fix does

No patch has been published. The advisory [ref_id=1] recommends adding an authentication check (e.g., verifying the requester is an existing admin) before processing user creation, and sanitizing or parameterizing the `role` value in the SQL `INSERT` statement to prevent SQL injection. Without these changes, any unauthenticated visitor can escalate privileges to admin.

Preconditions

authNo authentication required; the endpoint is publicly accessible.
networkAttacker must be able to send HTTP POST requests to the target server.
inputThe `role` POST parameter is accepted without sanitization.

Reproduction

Send a POST request to `/add_user_check.php` with body `apply=Apply&name=Evil&username=eviladmin&email=evil%40test.local&phone=123&role=admin&password=1234`. The server responds with a 302 redirect to `add_user.php`. Log in with `eviladmin` / `1234` to obtain admin privileges [ref_id=1].

Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

Severity

HighCVSS v3.1

7.3/ 10

CVSS v45.5

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: None
User interaction: None
Scope: Unchanged
Confidentiality: Low
Integrity: Low
Availability: Low

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Affected

Source repo: github.com/raisulislamg4/student_management_system_by_php/

VYPR risk score

Composite of severity, exploitation, and reach.

0.47medium

cvss	0.474
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVE ID

CVE-2026-10227