Medium severity6.3NVD Advisory· Published Mar 31, 2026· Updated Apr 29, 2026

CVE-2026-5197

Description

A vulnerability was found in code-projects Student Membership System 1.0. The affected element is an unknown function of the file /delete_user.php. The manipulation of the argument ID results in sql injection. The attack may be launched remotely. The exploit has been made public and could be used.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The Student Membership System v1.0's delete_user.php fails to sanitize the ID parameter in /delete_user.php, allowing unauthenticated remote SQL injection.

Root

Cause The vulnerability is a classic SQL injection flaw in /delete_user.php of the code-projects Student Membership System 1.0. The code directly concatenates the $_POST['id'] parameter into a DELETE statement without any sanitization or prepared statements: mysql_query("delete from user where user='$id'") [1].

Exploitation

An attacker can remotely exploit this by sending a crafted POST request with a malicious id value. No authentication is required, and the attack complexity is low. The exploit has been publicly released, lowering the barrier for attackers [1].

Impact

Successful exploitation allows an attacker to delete arbitrary user records, including all administrator accounts, potentially rendering the system unmanageable. The attacker could delete the entire user table, causing a denial of service and complete loss of system administrative control [1].

Mitigation

As of the publication date, the vendor has not released a patch. The project's homepage [2] may offer updates. The recommended fix is to use prepared statements with PDO or MySQLi and to perform strict input validation. Until a fix is applied, administrators should restrict network access to the vulnerable endpoint.

References

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Code Projects/Student Membership Systemllm-fuzzy
Range: = 1.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

Severity

MediumCVSS v3.1

6.3/ 10

CVSS v42.1

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: Low
User interaction: None
Scope: Unchanged
Confidentiality: Low
Integrity: Low
Availability: Low

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS

Probability of exploitation in the next 30 days.

0.04%

VYPR risk score

Composite of severity, exploitation, and reach.

0.41medium

cvss	0.410
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVE ID

CVE-2026-5197

Credits

N(
nomath (VulDB User)
reporter