CVE-2026-1160 – CVE-2026-1160 is a SQL injection vulnerability ... (How to Fix)

Q: What is the severity of CVE-2026-1160?

CVE-2026-1160 has a CVSS score of 7.3 (HIGH). CVE-2026-1160 is a SQL injection vulnerability in PHPGurukul Directory Management System 1.0 that allows remote attackers to execute arbitrary SQL commands via the searchdata parameter in the search function. This affects all installations of PHPGurukul Directory Management System 1.0 that have the vulnerable component exposed.

📋 TL;DR

CVE-2026-1160 is a SQL injection vulnerability in PHPGurukul Directory Management System 1.0 that allows remote attackers to execute arbitrary SQL commands via the searchdata parameter in the search function. This affects all installations of PHPGurukul Directory Management System 1.0 that have the vulnerable component exposed.

💻 Affected Systems

Products:

PHPGurukul Directory Management System

Versions: 1.0

Operating Systems: All operating systems running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations are vulnerable as the SQL injection exists in core search functionality.

📦 What is this software?

Directory Management System by Phpgurukul

View all CVEs affecting Directory Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data manipulation, and potential remote code execution if database permissions allow.

🟠

Likely Case

Unauthorized data access, extraction of sensitive information, and potential privilege escalation.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries in place.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and public exploit exists.

🏢 Internal Only: MEDIUM - Still exploitable by internal attackers but requires network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit is publicly available on GitHub and requires minimal technical skill to execute.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://phpgurukul.com/

Restart Required: No

Instructions:

No official patch available. Consider migrating to alternative software or implementing workarounds.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation and parameterized queries for the searchdata parameter.

Modify /index.php to use prepared statements: $stmt = $conn->prepare('SELECT * FROM table WHERE column LIKE ?'); $stmt->bind_param('s', $searchdata);

Web Application Firewall (WAF) Rules

all

Deploy WAF rules to block SQL injection patterns in search parameters.

Add WAF rule: Block requests containing SQL keywords (UNION, SELECT, INSERT, etc.) in searchdata parameter

🧯 If You Can't Patch

Restrict network access to the application using firewall rules
Implement rate limiting and monitoring for suspicious search patterns

🔍 How to Verify

Check if Vulnerable:

Test the search functionality with SQL injection payloads like ' OR '1'='1 in the searchdata parameter.

Check Version:

Check application version in admin panel or readme files

Verify Fix Applied:

Verify that SQL injection payloads no longer return unexpected results or database errors.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in application logs
Multiple failed login attempts following search requests
Database error messages containing SQL syntax

Network Indicators:

HTTP requests with SQL keywords in searchdata parameter
Unusual database connection patterns from web server

SIEM Query:

source="web_logs" AND (searchdata CONTAINS "UNION" OR searchdata CONTAINS "SELECT" OR searchdata CONTAINS "INSERT")

📊 Metadata

CVE ID: CVE-2026-1160

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.04% exploit probability (9.8th percentile)

Published: January 19, 2026

Last Updated: February 6, 2026

🔗 References

https://github.com/YouSeeYouOneDayDayDe/Nick_1321_vuls/issues/2 Exploit,Issue Tracking,Mitigation,Third Party Advisory
https://phpgurukul.com/ Product
https://vuldb.com/?ctiid.341754 Permissions Required,VDB Entry
https://vuldb.com/?id.341754 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.736333 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-1160, you might also want to check these: