CVE-2026-10110 code-projects CVE debrief

Who should care

Organizations running Student Details Management System 1.0; educational institutions using this PHP-based student records application; security teams monitoring for unauthenticated web application vulnerabilities

Technical summary

The Student Details Management System 1.0 contains a SQL injection vulnerability in /index.php through the 'roll' parameter. The flaw allows unauthenticated remote attackers to manipulate database queries. The vulnerability is classified as medium severity (CVSS 5.5) with proof-of-concept exploit availability. No known ransomware campaign use has been identified.

Defensive priority

medium

Recommended defensive actions

• Apply input validation and parameterized queries (prepared statements) to the 'roll' parameter in /index.php
• Review and sanitize all user-supplied input to the application
• Restrict network access to the management system where possible until patching
• Monitor for suspicious queries or authentication anomalies in application logs
• Verify vendor attribution and obtain an official patch from the software distributor when available

Evidence notes

The vulnerability was reported to VulDB (submission 818504) and assigned VulDB entry 367288. The CNA source ([email protected]) lists CWE-74 and CWE-89 as the weakness types. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and proof-of-concept exploit availability (E:P). The GitHub repository reference suggests public exploit material exists. Vendor identification is marked low confidence with 'Unknown Vendor' and 'Code Projects' as a domain candidate, requiring review.

Official resources