CVE-2026-11531
Description
A security flaw has been discovered in imvks786 student_management_system up to 9599b560ad3c3b83e75d328b76bedcd489ef1f46. This impacts an unknown function of the file admin/admin_login.php of the component Administrator Login Endpoint. Performing a manipulation of the argument a_usr/a_pwd results in sql injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The project was informed of the problem early through an issue report but has not responded yet.
Affected products
1- Range: up to 9599b560ad3c3b83e75d328b76bedcd489ef1f46
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The administrator login endpoint constructs an SQL query by directly embedding user-supplied input without sanitization or parameterization."
Attack vector
An attacker can remotely exploit this vulnerability by navigating to the admin login page and submitting a crafted payload in the username field. The payload 'admin' OR '1'='1' transforms the SQL query to always return a row, bypassing the password check. This grants the attacker an active administrator session and redirects them to the admin dashboard.
Affected code
The vulnerability resides in the admin/admin_login.php file, specifically within lines 7-27. The code directly embeds the POST parameters 'a_usr' and 'a_pwd' into an SQL query without any validation or parameterization.
What the fix does
The advisory does not specify a patch or provide details on how the vulnerability was fixed. The project was informed of the problem but has not responded. Therefore, no fix explanation can be provided.
Preconditions
- networkThe vulnerability is remotely exploitable.
- inputThe attacker must manipulate the 'a_usr' and 'a_pwd' arguments.
Reproduction
Navigate to the admin login page: /admin/admin_login.php. In the username field, enter a SQL injection payload such as: admin' OR '1'='1 Enter any arbitrary value for the password (e.g., x). Submit the form. Observe that the server responds with a success alert and redirects to the admin dashboard (welcome.php).
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
0No linked articles in our index yet.