PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9474 yashpokharna2555 CVE debrief

A SQL injection vulnerability exists in the StudentManagementSystem project by yashpokharna2555, specifically within the `confirm_logged_in` function in `/studentdel.php`. The vulnerability allows remote attackers to manipulate the `ID` parameter to inject arbitrary SQL commands. The issue affects versions up to commit cb2f558ddf8d19396de0f92abf2d224d46a0a203. The project operates on a rolling release model without traditional version numbering. The vulnerability was publicly disclosed on 2026-05-25 with a CVSS 4.0 score of 5.5 (MEDIUM severity). An issue was reported to the project maintainers prior to disclosure, but no response has been received as of the last modification date (2026-05-26). The exploit has been made publicly available. The vulnerability is classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) and CWE-89 (Improper Neutralization of Special Elements in SQL Command).

Vendor
yashpokharna2555
Product
StudentManagementSystem
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-25
Original CVE updated
2026-05-26
Advisory published
2026-05-25
Advisory updated
2026-05-26

Who should care

Organizations running instances of yashpokharna2555/StudentManagementSystem; security teams monitoring PHP web applications for SQL injection vulnerabilities; developers maintaining forked versions of this project

Technical summary

The vulnerability resides in the `confirm_logged_in` function within `/studentdel.php` of the StudentManagementSystem PHP application. Insufficient sanitization of the `ID` parameter allows attackers to inject malicious SQL commands. The attack vector is network-based with no authentication required. The vulnerability affects all versions up to commit cb2f558ddf8d19396de0f92abf2d224d46a0a203. As a rolling release project, no patched version has been identified. The exploit has been publicly disclosed, increasing the risk of active exploitation.

Defensive priority

medium

Recommended defensive actions

  • Review and sanitize all user-supplied input, particularly the 'ID' parameter in /studentdel.php, using parameterized queries or prepared statements
  • Implement input validation and output encoding consistent with OWASP guidelines for SQL injection prevention
  • Monitor for suspicious database query patterns that may indicate exploitation attempts
  • Consider implementing Web Application Firewall (WAF) rules to detect and block SQL injection payloads targeting the affected endpoint
  • Establish communication with the project maintainers through the reported GitHub issue to coordinate disclosure and remediation efforts
  • If deploying this application, apply principle of least privilege to database accounts used by the application
  • Review application logs for historical exploitation attempts, particularly around the disclosure date of 2026-05-25

Evidence notes

Vulnerability confirmed through Vuldb submission (814004) and assigned CVE-2026-9474. GitHub issue #5 was opened to notify the project maintainers. The NVD entry shows vulnStatus as 'Deferred'. CVSS 4.0 vector indicates network attack vector with low impact on confidentiality, integrity, and availability. Exploit existence marked as 'P' (Proof-of-concept) in CVSS vector.

Official resources

public