CVE-2026-10110: SQL Injection in Student Details Management System
A SQL injection vulnerability has been identified in code-projects Student Details Management System version 1.0, tracked as CVE-2026-10110 with a CVSS v3.1 score of 7.3 (High). The flaw exists in the /index.php file and is triggered by manipulating the roll parameter, allowing an unauthenticated remote attacker to inject arbitrary SQL commands into the underlying database query. A public exploit is available.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-10110 |
| CVSS Score | 7.3 (High) |
| Affected Software | code-projects Student Details Management System 1.0 |
| Vulnerable File | /index.php |
| Vulnerable Parameter | roll |
| Attack Vector | Network (Remote) |
| Authentication Required | None |
| Public Exploit | Yes |
| Patch Available | Not confirmed |
Technical Details
The vulnerability arises because the roll parameter passed to /index.php is incorporated directly into a SQL query without adequate sanitization or parameterization. An attacker can append SQL syntax to the parameter value to alter the query's logic, potentially:
- Bypassing authentication — forcing queries to return true regardless of input
- Extracting database contents — using UNION-based or error-based techniques to dump tables
- Enumerating the schema — discovering table names, column names, and stored data
- Modifying or deleting records — if the application context allows write operations
Because the attack is reachable remotely and requires no prior authentication, exploitation risk is heightened for any publicly accessible deployment.
Example Attack Pattern
GET /index.php?roll=1' OR 1=1-- -This classic boolean-based injection bypasses a WHERE clause filtering by roll, potentially returning all student records or granting unauthorized access.
Attack Surface
Student management systems often store sensitive academic and personal data:
- Student names, dates of birth, and ID numbers
- Contact information for students and guardians
- Academic records, grades, and enrollment status
- Administrative credentials if users are stored in the same database
Exposure of this data can constitute a privacy breach with compliance implications under regulations such as FERPA (US), PIPEDA (Canada), or GDPR (EU), depending on deployment context.
Remediation
Immediate Steps
- Take the application offline if it is publicly accessible, until a patch or remediation is applied
- Restrict access to the application via IP allowlisting or firewall rules as a temporary measure
- Review access logs for signs of exploitation (unexpected parameter values, anomalous query patterns)
Code-Level Fix
The correct remediation is to use parameterized queries (prepared statements) in place of string-concatenated SQL:
// Vulnerable pattern
$query = "SELECT * FROM students WHERE roll = '$roll'";
// Secure pattern (PDO)
$stmt = $pdo->prepare("SELECT * FROM students WHERE roll = ?");
$stmt->execute([$roll]);Using PDO or MySQLi with prepared statements ensures user-supplied input is never interpreted as SQL syntax, regardless of what the attacker submits.
Additional Hardening
- Apply input validation to reject non-numeric values for the
rollparameter - Enable WAF rules that detect common SQLi payloads (apostrophes, UNION keywords, comment sequences)
- Implement least-privilege database accounts — the web application's DB user should not have DROP, ALTER, or GRANT privileges
- Enable database query logging to detect anomalous patterns in production
Detection
Look for common SQL injection indicators in web server logs:
# Search for common SQLi patterns in access logs
grep -i "roll=" /var/log/apache2/access.log | grep -E "('|--|union|select|drop|insert)"
# Monitor for database errors exposed in HTTP responses
grep -i "sql syntax\|mysql_fetch\|ORA-" /var/log/apache2/error.logAny roll parameter values containing single quotes, SQL keywords (UNION, SELECT, OR 1=1), or comment sequences (--, #) should be treated as potential exploitation attempts.
Impact Assessment
| Impact Area | Description |
|---|---|
| Data Exposure | All student records potentially accessible to unauthenticated attackers |
| Authentication Bypass | Login controls may be circumvented entirely |
| Privacy Breach | PII exposure may trigger regulatory notification obligations |
| Data Integrity | Records may be modified or deleted if write access is possible |
| Exploitation Ease | Public exploit available; low skill barrier for attackers |
Key Takeaways
- CVE-2026-10110 is a high-severity SQL injection in code-projects Student Details Management System 1.0, exploitable remotely with no authentication
- The
rollparameter in/index.phpis the vulnerable entry point - A public exploit is available, lowering the barrier for attackers significantly
- Immediate action: restrict access or take the application offline until parameterized queries are implemented
- Student data systems warrant priority attention due to PII sensitivity and regulatory obligations