CVE-2026-2171 – This SQL injection vulnerability in Online Stud... (How to Fix)

Q: What is the severity of CVE-2026-2171?

CVE-2026-2171 has a CVSS score of 7.3 (HIGH). This SQL injection vulnerability in Online Student Management System 1.0 allows attackers to manipulate database queries through the login form. Attackers can potentially access, modify, or delete sensitive student data. All deployments of version 1.0 with default configurations are affected.

📋 TL;DR

This SQL injection vulnerability in Online Student Management System 1.0 allows attackers to manipulate database queries through the login form. Attackers can potentially access, modify, or delete sensitive student data. All deployments of version 1.0 with default configurations are affected.

💻 Affected Systems

Products:

code-projects Online Student Management System

Versions: 1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the login component at accounts.php with username/password parameters

📦 What is this software?

Online Student Management System by Fabian

View all CVEs affecting Online Student Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, or full system takeover via SQL injection to RCE chaining

🟠

Likely Case

Unauthorized access to student records, grade manipulation, or credential theft

🟢

If Mitigated

Limited impact with proper input validation and database permissions

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Remote exploitation possible via login form; exploit details are publicly available

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available or implementing workarounds.

🔧 Temporary Workarounds

Input Validation Filter

all

Add parameterized queries or input validation to accounts.php

Modify accounts.php to use prepared statements: $stmt = $conn->prepare('SELECT * FROM users WHERE username = ? AND password = ?'); $stmt->bind_param('ss', $username, $password);

Web Application Firewall

linux

Deploy WAF with SQL injection rules

Install and configure ModSecurity with OWASP CRS rules

🧯 If You Can't Patch

Isolate the system behind a reverse proxy with strict input filtering
Implement network segmentation and restrict database access to application server only

🔍 How to Verify

Check if Vulnerable:

Test login form with SQL injection payloads like ' OR '1'='1 in username/password fields

Check Version:

Check system documentation or about page for version information

Verify Fix Applied:

Attempt SQL injection after implementing parameterized queries; successful login should only occur with valid credentials

📡 Detection & Monitoring

Log Indicators:

Unusual SQL errors in application logs
Multiple failed login attempts with SQL syntax

Network Indicators:

HTTP POST requests to accounts.php containing SQL keywords
Unusual database connection patterns

SIEM Query:

source="web_logs" AND uri="/accounts.php" AND (request_body CONTAINS "' OR" OR request_body CONTAINS "UNION" OR request_body CONTAINS "SELECT *")

📊 Metadata

CVE ID: CVE-2026-2171

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.03% exploit probability (9th percentile)

Published: February 8, 2026

Last Updated: February 23, 2026

🔗 References

https://code-projects.org/ Product
https://vuldb.com/?ctiid.344872 Permissions Required,VDB Entry
https://vuldb.com/?id.344872 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.749233 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.754641

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-2171, you might also want to check these: