PatchSiren cyber security CVE debrief
CVE-2026-10226 raisulislamg4 CVE debrief
A SQL injection vulnerability exists in the raisulislamg4/student_management_system_by_php project, specifically within the delete.php file. Multiple identifier parameters—user_id, course_id, teacher_id, student_id, and application_id—are susceptible to manipulation, enabling remote attackers to inject arbitrary SQL commands. The project follows a rolling release model without discrete version numbers, complicating patch tracking. The maintainer was notified via a GitHub issue prior to public disclosure but has not responded as of the CVE publication date (2026-06-01). The vulnerability has been publicly disclosed with exploit details available, increasing the risk of active exploitation. CVSS 4.0 scoring reflects medium severity with network attack vector, low attack complexity, and no required privileges or user interaction.
- Vendor
- raisulislamg4
- Product
- student_management_system_by_php
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-01
- Original CVE updated
- 2026-06-01
- Advisory published
- 2026-06-01
- Advisory updated
- 2026-06-01
Who should care
Organizations running instances of this student management system; security teams monitoring for SQL injection in PHP applications; developers maintaining forked versions of the project
Technical summary
The delete.php endpoint in raisulislamg4/student_management_system_by_php accepts multiple identifier parameters (user_id, course_id, teacher_id, student_id, application_id) that are incorporated into SQL queries without adequate sanitization or parameterization. This permits remote, unauthenticated attackers to manipulate these parameters to alter query logic, potentially enabling unauthorized data access, modification, or deletion. The vulnerability exists through commit 310d950e09013d5133c6b9210aff9444382d16d1. The project uses a rolling release model without versioned releases, and the maintainer has not responded to early disclosure (GitHub issue #3). Public exploit availability elevates practical risk despite medium CVSS severity.
Defensive priority
medium
Recommended defensive actions
- Review and restrict network access to instances of student_management_system_by_php where possible
- Inspect delete.php for direct concatenation of user_id, course_id, teacher_id, student_id, or application_id into SQL queries
- Implement parameterized queries or prepared statements for all database operations in delete.php
- Apply input validation and strict type casting for numeric identifier parameters
- Monitor database query logs for anomalous patterns indicative of SQL injection attempts
- Subscribe to the source repository for updates and consider alternative maintained solutions if vendor remains unresponsive
Evidence notes
Vulnerability identified in commit 310d950e09013d5133c6b9210aff9444382d16d1 and earlier. Affected file: delete.php. Parameters: user_id, course_id, teacher_id, student_id, application_id. CWE-89 (SQL Injection) and CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) assigned by CNA. Exploit published per Vuldb submission 822786. Vendor notification via GitHub issue #3 without response.
Official resources
public