CVE-2026-5669
Published: 06 April 2026
Summary
CVE-2026-5669 is a medium-severity Injection (CWE-74) vulnerability. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-5669 is a SQL injection vulnerability (CWE-74, CWE-89) in the Cyber-III Student-Management-System up to commit 1a938fa61e9f735078e9b291d2e6215b4942af3f. It affects unknown code in the /login.php file of the Parameter Handler component, where manipulation of the Password argument enables the injection.
The vulnerability is exploitable remotely by unauthenticated attackers (PR:N) with low attack complexity (AC:L) and no user interaction (UI:N). Exploitation can result in low impacts to confidentiality, integrity, and availability (C:L/I:L/A:L), yielding a CVSS 3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
Due to the product's rolling release model, specific details on affected and updated versions are unavailable. The project was informed early via GitHub issue #240 but has not responded. An exploit has been publicly disclosed, with details available in VULDB entries and the GitHub repository.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-19396
Vulnerability details
A vulnerability has been found in Cyber-III Student-Management-System up to 1a938fa61e9f735078e9b291d2e6215b4942af3f. This vulnerability affects unknown code of the file /login.php of the component Parameter Handler. Such manipulation of the argument Password leads to sql injection. It is possible to launch…
more
the attack remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated SQL injection in public-facing web app login.php directly enables T1190 Exploit Public-Facing Application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of untrusted inputs like the Password parameter in /login.php to prevent SQL injection exploitation.
Mandates timely identification, reporting, and correction of flaws such as the SQL injection vulnerability in the Parameter Handler component.
Requires vulnerability scanning to identify SQL injection flaws like CVE-2026-5669 in the Student-Management-System.