Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A flaw has been found in code-projects Student Membership System 1.0. This issue affects some unknown processing of the component User Registration Handler. Executing a manipulation can lead to sql injection. The attack can be launched remotely.
AnalysisAI
SQL injection in code-projects Student Membership System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the User Registration Handler component. The vulnerability has a CVSS score of 7.3 with network-based attack vector and low complexity, requiring no privileges or user interaction. EPSS data not available; no CISA KEV listing indicates confirmed actively exploited status is unknown. Publicly available exploit code exists per researcher disclosure on GitHub, elevating real-world risk for organizations running this application.
Technical ContextAI
This vulnerability stems from CWE-89 (SQL Injection), a code injection flaw where untrusted input is incorporated into SQL queries without proper sanitization or parameterization. The affected component is code-projects Student Membership System version 1.0, specifically within the User Registration Handler module (CPE: cpe:2.3:a:code-projects:student_membership_system:*:*:*:*:*:*:*:*). Student Membership System is a web-based application for managing student records and memberships. The registration handler likely processes user-supplied input fields during account creation, such as username, email, or personal details, which are then passed unsafely to backend SQL queries. Without input validation or prepared statements, attackers can inject malicious SQL commands that the database executes with application privileges, potentially bypassing authentication, extracting sensitive student data, modifying records, or escalating privileges within the application database.
RemediationAI
No vendor-released patch identified at time of analysis. Organizations currently running code-projects Student Membership System 1.0 should immediately discontinue use of the User Registration functionality until remediation is available, or implement compensating controls. Immediate mitigation options include deploying a web application firewall configured with SQL injection signatures to filter malicious input targeting the registration handler, restricting network access to the registration endpoint to trusted IP ranges only, or disabling public user registration entirely if operationally feasible. For development teams maintaining custom deployments, apply secure coding practices by replacing all dynamic SQL queries in the User Registration Handler with parameterized prepared statements or stored procedures, implement strict input validation using allow-lists for expected character sets and formats, apply principle of least privilege to database accounts used by the application, and conduct thorough code review of all user input handling pathways. Monitor vendor resources at https://code-projects.org/ and VulDB references https://vuldb.com/vuln/354293 for potential future patches. Consider migrating to actively maintained student management systems with established security response processes.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17341