PatchSiren cyber security CVE debrief
CVE-2026-9470 yashpokharna2555 CVE debrief
A SQL injection vulnerability exists in the yashpokharna2555/StudentManagementSystem repository at commit cb2f558ddf8d19396de0f92abf2d224d46a0a203. The vulnerability is located in the `confirm_logged_in` function within `student_trans.php`, where unsanitized user input for `FIRST_NAME`, `Last_Name`, and `EMAIL` parameters is incorporated into SQL queries. The attack vector is network-based with no authentication required, and public exploit disclosure increases immediate risk. The project uses rolling releases without versioned fixes, and the maintainer has not responded to the initial issue report filed prior to CVE publication.
- Vendor
- yashpokharna2555
- Product
- StudentManagementSystem
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-25
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-25
- Advisory updated
- 2026-05-26
Who should care
Organizations running instances of yashpokharna2555/StudentManagementSystem; security teams managing PHP-based student information systems; developers maintaining forked versions of this codebase
Technical summary
The vulnerability resides in PHP file student_trans.php, function confirm_logged_in. User-supplied parameters FIRST_NAME, Last_Name, and EMAIL are concatenated directly into SQL queries without sanitization or parameterization. This classic SQL injection flaw permits attackers to alter query logic, potentially enabling unauthorized data access, modification, or authentication bypass. The attack is remotely exploitable without credentials. The repository's rolling release model means no specific patched version is designated; users must apply fixes from source or await maintainer response to the disclosed issue.
Defensive priority
medium
Recommended defensive actions
- Review and restrict network access to affected StudentManagementSystem instances until patched
- Implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns targeting FIRST_NAME, Last_Name, and EMAIL parameters
- Monitor database query logs for anomalous patterns in student_trans.php execution
- Contact repository maintainer through GitHub issue #3 to request security patch timeline
- Consider code-level remediation: implement parameterized queries or prepared statements in confirm_logged_in function
- Deploy database activity monitoring to detect unauthorized data access or schema enumeration attempts
Evidence notes
Vulnerability confirmed through Vuldb CNA submission and cross-referenced with GitHub issue #3. CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, and public exploit availability. CWE-89 (SQL Injection) and CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) are the primary weakness classifications. The NVD entry status is 'Deferred', indicating pending analysis.
Official resources
public