CVE-2026-5575: SQL Injection in Record Management System Login Page
A SQL injection vulnerability tracked as CVE-2026-5575 has been disclosed in SourceCodester/jkev Record Management System 1.0, a PHP-based record-keeping web application. The flaw resides in the Login component at index.php and is exploitable remotely without any authentication, making it a critical risk for any internet-accessible deployment.
The vulnerability was assigned a CVSS v3.1 score of 7.3 (High) and classified under CWE-89 — Improper Neutralization of Special Elements used in SQL Commands.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-5575 |
| CVSS Score | 7.3 (High) |
| CWE Classification | CWE-89 — SQL Injection |
| Affected Software | SourceCodester Record Management System 1.0 |
| Vulnerable File | index.php |
| Vulnerable Component | Login form — Username field |
| Attack Vector | Network (Remote) |
| Authentication Required | None |
| Exploit Published | Yes — public exploit available |
| Patch Available | None confirmed |
Technical Details
Affected Component
The vulnerability exists in the Login page of the Record Management System. The index.php file processes the Username parameter submitted via the login form and passes the value directly into a SQL query without adequate sanitization or parameterized query handling.
Exploitation Mechanism
An unauthenticated attacker can submit a crafted value in the Username form field to inject arbitrary SQL code:
Username: admin' OR '1'='1
Username: ' UNION SELECT NULL, NULL, table_name FROM information_schema.tables--
Depending on the database configuration, successful exploitation could allow:
- Authentication bypass — logging in as any user, including the administrator, without a valid password
- Database enumeration — extracting table names, column definitions, and row data from all accessible tables
- Credential harvesting — recovering stored usernames and password hashes from the user table
- Data manipulation — inserting, modifying, or deleting records via stacked queries or writable injection points
Attack Flow
1. Attacker identifies an internet-accessible Record Management System login page
2. Attacker submits crafted SQL payload in the Username login field
3. Unsanitized input is concatenated into a backend SQL query
4. The database executes the injected SQL logic
5. Attacker achieves authentication bypass or data extraction
6. With admin access, attacker reads, modifies, or deletes managed records
Affected Software Context
SourceCodester is a widely referenced repository distributing open-source PHP web application source code, primarily targeting students and academic projects. The Record Management System 1.0 is distributed as a free download for learning PHP-based CRUD applications.
Despite the educational context, SourceCodester applications are frequently deployed in production or semi-production environments by small organizations, government agencies in developing regions, and academic institutions — without security hardening. This pattern has produced a consistent stream of disclosed CVEs across SourceCodester codebases in recent months, all pointing to a systemic absence of input validation and parameterized query usage throughout their PHP code.
Remediation
Immediate Steps
No official patch has been released. Deployments of this software should apply the following mitigations immediately:
- Restrict access — Block the application from public internet access; enforce access through VPN or IP allowlisting
- Deploy a Web Application Firewall — Rules detecting SQL injection patterns will block exploitation attempts against this and similar endpoints
- Parameterize all queries — Replace direct string interpolation with PDO prepared statements or MySQLi parameterized queries
- Audit credentials — If the system has been internet-accessible, treat all stored credentials as potentially compromised
- Review access logs — Inspect server logs for malformed login attempts, large payloads, or SQL keywords in form submissions
Code-Level Fix
The root cause is direct interpolation of user input into SQL queries:
// Vulnerable pattern
$query = "SELECT * FROM users WHERE username = '" . $_POST['username'] . "'";
// Secure pattern (PDO prepared statement)
$stmt = $pdo->prepare("SELECT * FROM users WHERE username = ?");
$stmt->execute([$_POST['username']]);Impact Assessment
| Impact Area | Description |
|---|---|
| Authentication Bypass | Admin and user accounts accessible without valid credentials |
| Data Exposure | Full database contents extractable via UNION-based injection |
| Credential Theft | Stored passwords and session tokens can be harvested |
| Record Tampering | Managed records can be modified or deleted |
| Deployment Risk | Public exploit available; risk depends entirely on internet accessibility |
Key Takeaways
- CVE-2026-5575 is a CVSS 7.3 SQL injection in SourceCodester Record Management System 1.0 affecting the login page's Username parameter
- The flaw requires no authentication and is exploitable directly from the internet
- A public exploit has been released, raising the urgency for any production deployment
- No official patch exists — access restriction and WAF deployment are the primary mitigations
- This vulnerability continues a well-documented pattern of SQL injection flaws across SourceCodester PHP applications — all should be treated as untrusted for production use without thorough security review