Cyber Resilience

CVE-2026-1160

MediumPublic PoC

Published: 19 January 2026

Published
19 January 2026
Modified
06 February 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0033 24.3th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-1160 is a medium-severity Injection (CWE-74) vulnerability in Phpgurukul Directory Management System. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-1160 is a SQL injection vulnerability affecting PHPGurukul Directory Management System version 1.0. The flaw resides in an unknown function within the /index.php file of the Search component, where manipulation of the 'searchdata' argument enables SQL code injection. Published on 2026-01-19, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and is linked to CWEs 74 and 89.

The vulnerability can be exploited remotely by unauthenticated attackers with no privileges required and low attack complexity, requiring no user interaction. Exploitation allows limited impacts on confidentiality, integrity, and availability through SQL injection, potentially enabling unauthorized data access, modification, or disruption depending on the database backend.

Advisories and further details are documented on VulDB (ctiid.341754, id.341754, submit.736333), the vendor site phpgurukul.com, and a GitHub issue at YouSeeYouOneDayDayDe/Nick_1321_vuls/issues/2, where the exploit has been publicly disclosed and may be used. No specific patch or mitigation steps are outlined in the CVE description.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A security vulnerability has been detected in PHPGurukul Directory Management System 1.0. Impacted is an unknown function of the file /index.php of the component Search. The manipulation of the argument searchdata leads to sql injection. The attack may be initiated…

more

remotely. The exploit has been disclosed publicly and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct remote SQL injection in a public-facing web application component enables exploitation of the system without authentication.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-7164Same vendor: Phpgurukul
CVE-2025-1581Same vendor: Phpgurukul
CVE-2025-7520Same vendor: Phpgurukul
CVE-2025-2088Same vendor: Phpgurukul
CVE-2025-7522Same vendor: Phpgurukul
CVE-2025-2683Same vendor: Phpgurukul
CVE-2026-2134Same vendor: Phpgurukul
CVE-2026-2088Same vendor: Phpgurukul
CVE-2025-2679Same vendor: Phpgurukul
CVE-2025-2676Same vendor: Phpgurukul

Affected Assets

phpgurukul
directory management system
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of the searchdata input argument to block SQL injection payloads before they reach the database.

detect

Enables monitoring and analysis of application/database queries to identify anomalous SQL statements originating from the /index.php search function.

prevent

Enforces access-control decisions on database operations so that even successful injection cannot exceed the application's authorized data actions.

References