EUVD-2026-33450
GHSA-68fj-8vvr-wgf6
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A flaw has been found in sambitraj STUDENT-MANAGEMENT-SYSTEM 1.0. This impacts an unknown function of the component Login Page. Executing a manipulation of the argument email can lead to sql injection. The attack may be performed from remote. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.
AnalysisAI
SQL injection in sambitraj's Student Management System 1.0 exposes the login page to unauthenticated remote exploitation via a crafted email parameter, enabling attackers to manipulate backend database queries. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication, no user interaction, and no special conditions are required for exploitation. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions are required - the CVSS 4.0 vector AV:N/AC:L/AT:N/PR:N/UI:N confirms remote, unauthenticated exploitation against the login page of any network-accessible deployment of Student Management System 1.0. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 5.5 (Medium) is grounded in a fully network-accessible, zero-prerequisite attack (AV:N/AC:L/AT:N/PR:N/UI:N/E:P), meaning the vulnerability is trivially reachable and a proof-of-concept exists, which elevates real-world exploitation likelihood beyond what the medium score implies. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated remote attacker navigates to the publicly accessible login page of a deployed Student Management System 1.0 instance and submits a crafted SQL injection payload in the email field (e.g., a tautology such as ' OR '1'='1'--) to bypass authentication or enumerate database contents. A public proof-of-concept exploit has been published via GitHub issue #2 (https://github.com/sambitraj/STUDENT-MANAGEMENT-SYSTEM/issues/2), meaning the exact exploit technique is openly documented and requires minimal attacker skill to replicate. |
| Remediation | No vendor-released patch has been identified at time of analysis - the vendor has not responded to the responsible disclosure. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today