Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-10110

CVE-2026-10110: Student Details Management System SQLi

CVE-2026-10110 is a SQL injection vulnerability in Student Details Management System 1.0 affecting the /index.php file. Attackers can manipulate the roll parameter remotely. This article covers technical details, impact, and mitigation.

Published:

CVE-2026-10110 Overview

CVE-2026-10110 is a SQL injection vulnerability in code-projects Student Details Management System 1.0. The flaw resides in /index.php, where the roll parameter is concatenated into a SQL query without proper sanitization. An unauthenticated remote attacker can manipulate this parameter to inject arbitrary SQL statements. A public proof-of-concept exploit is available on GitHub, lowering the barrier for opportunistic exploitation. The vulnerability is tracked under [CWE-74] (Improper Neutralization of Special Elements in Output Used by a Downstream Component).

Critical Impact

Unauthenticated attackers can execute arbitrary SQL queries against the application database through the roll parameter in /index.php, potentially exposing or modifying student records.

Affected Products

  • code-projects Student Details Management System 1.0
  • Deployments exposing /index.php to untrusted networks
  • Installations without WAF or input validation controls

Discovery Timeline

  • 2026-05-30 - CVE-2026-10110 published to NVD
  • 2026-06-01 - Last updated in NVD database

Technical Details for CVE-2026-10110

Vulnerability Analysis

The vulnerability stems from improper neutralization of user-controlled input passed to the roll parameter in /index.php. The application concatenates this value directly into a SQL query string, allowing attackers to break out of the intended query context. Because the endpoint does not require authentication, exploitation requires no prior access or credentials.

Successful exploitation enables attackers to read, modify, or delete database records. Depending on database privileges, attackers may also enumerate schema information, exfiltrate stored credentials, or pivot to further attacks. A public exploit referenced by VulDB submission #818504 and a GitHub repository (Student-Details-Management-System SQL Injection PoC) demonstrates working exploitation.

Root Cause

The root cause is the absence of parameterized queries or prepared statements when handling the roll input. User input flows directly into the SQL execution path without escaping, type-casting, or allow-list validation.

Attack Vector

The attack vector is network-based. An attacker sends a crafted HTTP request to /index.php with a malicious payload in the roll parameter. No authentication, user interaction, or special privileges are required.

The vulnerable behavior can be triggered by appending SQL meta-characters such as single quotes, UNION SELECT clauses, or boolean-based payloads to the roll query string parameter. See the public proof-of-concept for technical details on payload construction.

Detection Methods for CVE-2026-10110

Indicators of Compromise

  • HTTP requests to /index.php containing SQL meta-characters such as ', --, UNION, SELECT, or SLEEP in the roll parameter
  • Unexpected database errors logged by the web server or PHP runtime
  • Anomalous outbound queries or large result sets returned from the database backend
  • Unusual access patterns from a single source IP targeting /index.php

Detection Strategies

  • Deploy web application firewall (WAF) rules to flag SQL injection patterns targeting the roll parameter
  • Enable database query logging and alert on syntactically anomalous queries originating from the web tier
  • Correlate web access logs against known SQL injection signatures using SIEM analytics

Monitoring Recommendations

  • Monitor /index.php access logs for parameter values containing encoded SQL syntax
  • Track database error rates and investigate spikes that align with HTTP traffic anomalies
  • Alert on outbound data transfers from database hosts that exceed baseline volumes

How to Mitigate CVE-2026-10110

Immediate Actions Required

  • Restrict network access to the Student Details Management System until a fix is applied
  • Place the application behind a WAF with SQL injection rule sets enabled in blocking mode
  • Audit database accounts used by the application and enforce least-privilege permissions
  • Review database logs for evidence of prior exploitation using the public PoC payloads

Patch Information

No vendor patch has been published at the time of CVE disclosure. Track the VulDB advisory #367288 and the code-projects site for updated guidance. Organizations using this application should consider replacement or code-level remediation by introducing parameterized queries.

Workarounds

  • Refactor /index.php to use prepared statements with bound parameters for the roll input
  • Apply server-side input validation to reject non-numeric values where roll is expected to be numeric
  • Implement WAF signatures that block requests containing SQL syntax in the roll parameter
  • Isolate the application database account to read-only or schema-scoped privileges where feasible
bash
# Example ModSecurity rule to block SQL injection in the roll parameter
SecRule ARGS:roll "@rx (?i)(union|select|insert|update|delete|drop|--|;|'|\")" \
    "id:1010110,phase:2,deny,status:403,log,msg:'CVE-2026-10110 SQL Injection attempt on roll parameter'"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne