CVE-2026-11530
Description
SQL injection in imvks786 student_management_system allows remote attackers to bypass authentication and manipulate data.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in imvks786 student_management_system allows remote attackers to bypass authentication and manipulate data.
Vulnerability
A SQL injection vulnerability exists in the student_management_system up to commit 9599b560ad3c3b83e75d328b76bedcd489ef1f46, specifically within the /index.php file's login component. User-supplied input for the usr and pwd parameters is directly concatenated into SQL queries without proper sanitization, enabling manipulation of database queries [1]. The project uses a rolling release model, making specific version information unavailable [1].
Exploitation
An attacker can exploit this vulnerability remotely without authentication. By manipulating the usr and pwd POST parameters with SQL injection payloads, such as admin'%20OR%20'1'%3D'1, an attacker can bypass the login mechanism and gain unauthorized access to the system [1].
Impact
Successful exploitation allows an attacker to bypass authentication and log in as any user, including administrators. It also enables unauthorized data deletion, modification of user permissions, and sensitive data exposure through various SQL injection techniques [1].
Mitigation
No patched version or specific fix details are available as the project has not responded to the early issue report [1]. The project's GitHub repository is available for reference, but no mitigation steps or updated releases are indicated [2].
- Multiple SQL Injection Vulnerabilities Leading to Authentication Bypass, Data Manipulation, and Privilege Escalation
- GitHub - imvks786/student_management_system: This is simple student management system coded in HTML, CSS, JAVASCRIPT AND PHP as front-end languages. And at backend the SQL server is used for query processing.
AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: up to 9599b560ad3c3b83e75d328b76bedcd489ef1f46
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"User-supplied input is concatenated directly into SQL queries without sanitization, leading to SQL injection."
Attack vector
An attacker can remotely exploit this vulnerability by sending a crafted POST request to the `/index.php` endpoint. The request manipulates the `usr` and `pwd` parameters with SQL injection payloads, such as `admin' OR '1'='1`, to bypass authentication. This allows the attacker to log in as any user without valid credentials [ref_id=1].
Affected code
The vulnerability exists in the `index.php` file, specifically within the department/user login functionality. The code concatenates user-supplied input from `$_POST['usr']` and `$_POST['pwd']` directly into a SQL query without proper sanitization or parameterization [ref_id=1].
What the fix does
The advisory does not specify a patch or provide remediation guidance. The project was informed of the problem but has not responded. Therefore, no fix is currently available.
Preconditions
- networkThe vulnerability is remotely exploitable.
- inputThe attacker needs to provide manipulated `usr` and `pwd` POST parameters.
Reproduction
POST /index.php HTTP/1.1 Host: 127.0.0.1:3000 Content-Type: application/x-www-form-urlencoded
usr=admin'%20OR%20'1'%3D'1&pwd=x&submit=submit
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
0No linked articles in our index yet.