Cyber Resilience

CVE-2026-2171

Medium

Published: 08 February 2026

Published
08 February 2026
Modified
23 February 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0039 30.8th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-2171 is a medium-severity Injection (CWE-74) vulnerability in Fabian Online Student Management System. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-2171 is a SQL injection vulnerability in code-projects Online Student Management System 1.0. The issue affects an unknown function within the file accounts.php of the Login component, where manipulation of the username and password arguments triggers the injection. Classified under CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-89 (SQL Injection), it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its remote exploitability.

The vulnerability enables remote attackers with no privileges or user interaction to exploit it over the network with low complexity. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, such as unauthorized access to data, modification of database contents, or denial of service. An exploit has been publicly disclosed and could be readily used against unpatched instances.

VulDB advisories, referenced across multiple entries including ctiid.344872 and submissions 749233 and 754641, document the vulnerability's discovery and public exploit availability. No specific patches or vendor mitigations are detailed in the provided references, which primarily link back to the affected code-projects.org page for context. Security practitioners should isolate or upgrade affected systems promptly.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability was found in code-projects Online Student Management System 1.0. Affected is an unknown function of the file accounts.php of the component Login. Performing a manipulation of the argument username/password results in sql injection. The attack can be initiated…

more

remotely. The exploit has been made public and could be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct remote SQL injection in public-facing web login component enables initial access via exploitation of the exposed application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-0851Same vendor: Fabian
CVE-2026-2060Same vendor: Fabian
CVE-2025-7186Same vendor: Fabian
CVE-2026-2197Same vendor: Fabian
CVE-2025-7189Same vendor: Fabian
CVE-2026-0592Same vendor: Fabian
CVE-2026-0607Same vendor: Fabian
CVE-2026-0568Same vendor: Fabian
CVE-2026-1533Same vendor: Fabian
CVE-2026-2172Same vendor: Fabian

Affected Assets

fabian
online student management system
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of username/password inputs to block malformed SQL elements before they reach the database in accounts.php.

prevent

Mandates timely remediation of the publicly disclosed SQL injection flaw in the login component.

prevent

Enforces proper access decisions at login that the injection currently bypasses by manipulating authentication arguments.

References