CVE-2026-10110: SQL Injection in Student Details Management System
| Field | Value |
|---|---|
| CVE ID | CVE-2026-10110 |
| CVSS score | 7.3 |
| Attack vector | Remote network attack is stated; exact CVSS vector string was not available in the reviewed source |
| Authentication required | None indicated by NVD; attacker can exploit remotely |
| Patch status | No verified vendor patch or fixed version found as of 2026-05-30 |
TL;DR - Remote SQL injection affects
code-projects Student Details Management System 1.0. - The vulnerable input is therollparameter in/index.php; no auth appears required. - Public exploit code is referenced by NVD, but in-the-wild exploitation is not confirmed.
What This Vulnerability Is and Why It Matters
CVE-2026-10110 is a SQL injection vulnerability in code-projects Student Details Management System 1.0. According to the NVD description, the flaw is in /index.php and can be triggered by manipulating the roll parameter. This issue fits CWE-89: Improper Neutralization of Special Elements used in an SQL Command.
For defenders, the practical takeaway is simple: if this application is exposed to untrusted users, an attacker may be able to alter backend database queries without valid credentials. In a student records application, that can mean unauthorized access to records, bulk enumeration, and potentially data modification or deletion, depending on the database account permissions used by the PHP application. Even if the deployment is “internal only,” this still matters for schools, labs, or SMBs where flat internal networks and weak access controls are common.
Affected Products and Confirmed Version Range
The confirmed affected product from the reviewed primary-source material is:
- Vendor / publisher: code-projects
- Product: Student Details Management System
- Confirmed affected version: 1.0
The affected component named in the CVE description is:
- File:
/index.php - Parameter:
roll
At this time, the only version that can be stated as affected based on the available evidence is Student Details Management System 1.0. There is no verified evidence from the reviewed sources establishing whether earlier development builds, forks, or later repackaged copies are also vulnerable. There is also no verified fixed version number available from a vendor advisory or patch note. Because of that, defenders should avoid assuming that any downloaded copy labeled “1.0” has been silently fixed unless they can validate source changes themselves.
Exploitation Status: Public PoC vs. Confirmed In-The-Wild Use
The NVD description explicitly states that “The exploit is now public and may be used.” One of the CVE references points to a GitHub repository that appears to be a proof-of-concept or exploit repository for this issue. Based on that, it is appropriate to say that a public PoC exists or is at least strongly indicated by the NVD references.
What is not confirmed is active exploitation in the wild. This CVE was not listed on the CISA Known Exploited Vulnerabilities catalog at the time of review, and no primary-source evidence in the provided material confirmed real-world attacks, mass scanning, ransomware use, or botnet activity tied to this flaw. Defenders should therefore state the status accurately: public exploit availability is indicated; confirmed in-the-wild exploitation is not verified. In practice, when a no-auth SQL injection has public exploit code, exposed instances should still be treated as high priority because weaponization costs are low.
Risk Assessment for Practitioners
A CVSS base score of 7.3 places this in the high-severity range. Although the exact vector string was not available in the reviewed source material, the narrative description supports several important risk assumptions: the attack is remote, likely unauthenticated, and targets a web-facing input. Those factors typically compress time-to-exploitation once proof-of-concept material becomes available.
Impact depends on how the application is coded and what permissions its database account has. At minimum, a successful SQL injection often enables unauthorized reads from the application’s underlying tables. In a student management context, that may expose names, roll numbers, contact details, grades, or other records. If the database user can write, the risk can extend to tampering with records. If error messages are verbose or the stack is poorly segmented, attackers may also gain enough information to pivot into broader application compromise. Since the exact exploit chain and demonstrated post-exploitation capabilities were not included in the reviewed references, defenders should assume read access is plausible, write access is possible, and full impact depends on database privileges and application architecture.
Bottom Line
CVE-2026-10110 is a high-severity remote SQL injection affecting code-projects Student Details Management System 1.0 through the roll parameter in /index.php. A public exploit is indicated, but confirmed exploitation in the wild is not verified from the reviewed sources. The biggest operational problem is that a vendor patch and fixed version are not currently verified, so defenders should focus on exposure reduction, compensating controls, and code-level remediation rather than waiting for a confirmed update path.
This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you. ```
How to Detect Attempted or Successful Exploitation
Detection should focus first on HTTP requests to /index.php that include a suspicious roll parameter. SQL injection attempts often show up as special characters, boolean conditions, comments, UNION clauses, or time-based payloads embedded in what should normally be a numeric or tightly formatted identifier. Because the vulnerable parameter is known, defenders can build targeted detections even without full exploit details.
You should also review database and web server logs together. A typical pattern is a burst of requests against the same endpoint with varying roll values, followed by SQL errors, longer response times from time-based probes, or abnormal result sizes. If the application runs behind Apache or Nginx and uses PHP with MySQL or MariaDB, correlate access logs with PHP error logs and database slow-query or general-query logs where available.
Technical Notes
Example web log indicators to hunt for in access logs:
GET /index.php?roll=1' HTTP/1.1
GET /index.php?roll=1%27%20OR%20%271%27%3D%271 HTTP/1.1
GET /index.php?roll=1%20UNION%20SELECT HTTP/1.1
GET /index.php?roll=1%27%20AND%20SLEEP(5)--%20 HTTP/1.1
GET /index.php?roll=1%20ORDER%20BY%201--%20 HTTP/1.1
Simple grep hunt on Apache/Nginx logs:
grep -Ei 'GET /index\.php\?roll=.*(%27|'"'"'|union|select|sleep\(|order%20by|or%20|--|%23)' /var/log/apache2/access.log
Example Sigma-style logic defenders can adapt to SIEM search:
title: Suspicious roll Parameter Access to Student Details Management System
logsource:
category: webserver
detection:
selection:
cs-uri-stem: "/index.php"
cs-uri-query|contains: "roll="
keywords:
cs-uri-query|contains:
- "'"
- "%27"
- " union "
- " select "
- "sleep("
- "--"
- "%23"
- " or "
condition: selection and keywords
level: high
If you have database logging enabled, hunt for errors or abnormal queries involving user-controlled roll values. A generic MySQL-oriented grep can help:
grep -Ei 'sql syntax|warning.*mysql|mysqli|You have an error in your SQL syntax|near .*roll' /var/log/php*/error.log /var/log/apache2/error.log 2>/dev/null
Mitigation and Patching Guidance
The most important limitation in this case is that a vendor-issued fix or fixed version could not be verified from the reviewed sources. That means defenders cannot truthfully claim, based on current evidence, that there is a known safe release such as “1.0.1” or “2.0.” The only confirmed vulnerable version is 1.0, and the fixed version is unknown. In the absence of patch data, assume any deployed copy of Student Details Management System 1.0 remains vulnerable until proven otherwise.
If the application is internet-accessible, the safest short-term action is to remove public access or place it behind a trusted reverse proxy, VPN, or IP allowlist while you assess the code. If the system is nonessential or unsupported, retirement may be more defensible than trying to harden abandoned PHP code. If you must keep it running, implement layered controls: strict input validation on roll, parameterized queries in the application code, WAF rules for SQL injection payloads, and least-privilege database credentials that cannot drop tables or modify unrelated data.
Technical Notes
If the application is deployed from a local PHP project directory, there may be no package manager upgrade path. In that case, first identify the installed copy and back it up:
find /var/www -type f -name "index.php" | grep -i "student"
tar czf /root/student-details-backup-$(date +%F).tar.gz /var/www/html/
If you choose an emergency code workaround before a verified vendor fix exists, enforce numeric-only handling of the roll parameter and migrate queries to prepared statements. Example PHP defensive pattern:
<?php
$roll = filter_input(INPUT_GET, 'roll', FILTER_VALIDATE_INT);
if ($roll === false || $roll === null) {
http_response_code(400);
exit('Invalid roll');
}
$stmt = $mysqli->prepare("SELECT * FROM students WHERE roll = ?");
$stmt->bind_param("i", $roll);
$stmt->execute();
$result = $stmt->get_result();
?>
If Apache is in front of the app, a temporary ModSecurity-style block can reduce exposure while you fix code:
SecRule REQUEST_URI "@streq /index.php" \
"id:1011001,phase:2,deny,status:403,chain,msg:'Block suspicious roll parameter for CVE-2026-10110'"
SecRule ARGS:roll "@rx (?i)(?:'|%27|union|select|sleep\(|--|%23|\bor\b|\band\b)" "t:none"
If you need to restrict exposure immediately at the web server layer, an allowlist control is often faster than code remediation:
# Example: allow only a trusted admin subnet to access the app
ufw allow from 192.0.2.0/24 to any port 80
ufw allow from 192.0.2.0/24 to any port 443
ufw deny 80
ufw deny 443
ufw reload
Because no verified fixed version number is available, there is no trustworthy upgrade command I can provide for a vendor release. If your organization maintains its own fork in Git, use your standard deployment command only after reviewing and testing a code fix:
git checkout main
git pull --ff-only
php -l /var/www/html/index.php
systemctl reload apache2
That is an example deployment workflow, not evidence of a vendor patch.
Practical Response Checklist
Start with exposure reduction. Inventory where Student Details Management System 1.0 is running, especially on internet-reachable hosts, school lab servers, and shared hosting environments. If you cannot quickly confirm whether a system is exposed, assume exposure until firewall rules, reverse proxy settings, and external scans prove otherwise. Capture a backup before making code changes.
Then validate whether the application uses direct SQL string concatenation around the roll parameter. If it does, prioritize replacing that logic with prepared statements and server-side input validation. Review the application’s database account privileges and remove unnecessary INSERT, UPDATE, DELETE, DROP, and administrative rights. Finally, monitor logs for exploitation attempts after mitigation because public exploit availability often drives opportunistic scanning even when a product has a small footprint.
References
- NVD CVE record for CVE-2026-10110
- CISA Known Exploited Vulnerabilities catalog lookup for CVE-2026-10110 (not listed at review time)
- code-projects product site: Student Details Management System In PHP With Source Code
- GitHub reference associated with a likely PoC repository:
https://github.com/Xmyronn/Student-Details-Management-System-1.0---SQL-Injection-Unauthenticated-.git