CVE-2026-2171
Published: 08 February 2026
Summary
CVE-2026-2171 is a medium-severity Injection (CWE-74) vulnerability in Fabian Online Student Management System. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-2171 is a SQL injection vulnerability in code-projects Online Student Management System 1.0. The issue affects an unknown function within the file accounts.php of the Login component, where manipulation of the username and password arguments triggers the injection. Classified under CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-89 (SQL Injection), it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its remote exploitability.
The vulnerability enables remote attackers with no privileges or user interaction to exploit it over the network with low complexity. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, such as unauthorized access to data, modification of database contents, or denial of service. An exploit has been publicly disclosed and could be readily used against unpatched instances.
VulDB advisories, referenced across multiple entries including ctiid.344872 and submissions 749233 and 754641, document the vulnerability's discovery and public exploit availability. No specific patches or vendor mitigations are detailed in the provided references, which primarily link back to the affected code-projects.org page for context. Security practitioners should isolate or upgrade affected systems promptly.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5779
Vulnerability details
A vulnerability was found in code-projects Online Student Management System 1.0. Affected is an unknown function of the file accounts.php of the component Login. Performing a manipulation of the argument username/password results in sql injection. The attack can be initiated…
more
remotely. The exploit has been made public and could be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote SQL injection in public-facing web login component enables initial access via exploitation of the exposed application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of username/password inputs to block malformed SQL elements before they reach the database in accounts.php.
Mandates timely remediation of the publicly disclosed SQL injection flaw in the login component.
Enforces proper access decisions at login that the injection currently bypasses by manipulating authentication arguments.