CVE-2026-5649

Vulnerability

Overview A SQL injection vulnerability exists in code-projects Online Application System for Admission version 1.0. The flaw affects the /enrollment/admsnform.php endpoint, specifically the detid parameter processed during the admission form submission. The application directly incorporates user-supplied input into SQL queries without using prepared statements or parameterized queries, leading to CWE-89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection). [1]

Exploitation

Details An attacker can exploit this vulnerability remotely via HTTP POST requests without requiring prior authentication. The detid parameter is user-controlled and not sanitized before being used in an SQL statement. By injecting a time-based payload such as '+(select*from(select(sleep(20)))a)+', the attacker can cause a 20-second database delay, confirming successful injection. This demonstrates that arbitrary SQL commands can be executed. The exploit details have been publicly disclosed, increasing the risk of widespread scanning. [1]

Impact

Successful exploitation allows an attacker to manipulate database queries, potentially extracting sensitive information from the database, modifying data, or executing administrative operations on the database server. The CVSS v3 score of 6.3 (Medium) reflects the remote attack vector and low complexity, though authentication is not required. [1]

Mitigation

No official patch has been released by code-projects as of the publication date. Users should implement input validation and parameterized queries (prepared statements) for the affected endpoint. If possible, restrict network access to the application or upgrade to a fixed version if one becomes available. The vendor’s site [2] provides the original source code, which may allow users to develop their own fix. [1]