Medium severity6.3NVD Advisory· Published Apr 17, 2026· Updated Apr 29, 2026

CVE-2026-6488

Description

A vulnerability was identified in QueryMine sms up to 7ab5a9ea196209611134525ffc18de25c57d9593. This vulnerability affects unknown code of the file admin/editcourse.php of the component GET Request Parameter Handler. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

SQL injection vulnerability in QueryMine sms admin/editcourse.php allows remote attackers to execute arbitrary SQL commands via the ID parameter, with public exploit available.

Vulnerability

Details

A SQL injection vulnerability exists in the QueryMine sms application up to commit 7ab5a9ea196209611134525ffc18de25c57d9593. The issue is present in the file admin/editcourse.php within the GET request parameter handler. The "ID" parameter is not properly sanitized before being used in SQL queries, allowing an attacker to inject arbitrary SQL commands. The project is a PHP-based student management system (SMS) that uses a MySQL database [1].

Exploitation

The vulnerability can be exploited remotely by sending a crafted HTTP GET request to the admin/editcourse.php endpoint with a malicious ID parameter. No authentication is explicitly required, but the endpoint is part of the admin panel, so access to this page may require prior authentication. However, the attack vector is remote, and the exploit has been publicly disclosed, increasing the risk of active exploitation.

Impact

Successful exploitation allows an attacker to perform SQL injection attacks, which can lead to unauthorized access to the database, data exfiltration, modification or deletion of records, and potentially full compromise of the application. Given the database may contain sensitive student information, the impact could be significant.

Mitigation

The vendor was contacted early but did not respond. As the product uses continuous delivery with rolling releases, no specific version details are available. Users are advised to apply the latest updates if available, or consider implementing input validation and parameterized queries to mitigate the risk until an official fix is released.

References

CVE/QueryMine_sms PHP Project Deployment Document (Windows Local)-2.md at main · duckpigdog/CVE

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Sms/Smsllm-fuzzy
Range: <= 7ab5a9ea196209611134525ffc18de25c57d9593

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

Severity

MediumCVSS v3.1

6.3/ 10

CVSS v42.1

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: Low
User interaction: None
Scope: Unchanged
Confidentiality: Low
Integrity: Low
Availability: Low

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS

Probability of exploitation in the next 30 days.

0.03%

VYPR risk score

Composite of severity, exploitation, and reach.

0.41medium

cvss	0.410
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVE ID

CVE-2026-6488

Credits

Y(
yanxiao (VulDB User)
reporter
VC
VulDB CNA Team
coordinator