CVE-2026-1160 identifies a SQL injection vulnerability in PHPGurukul Directory Management System version 1.0, specifically in the Search component's /index.php file. The vulnerability arises from improper sanitization of the 'searchdata' parameter, which is directly used in SQL queries without adequate validation or parameterization. This allows an unauthenticated remote attacker to inject arbitrary SQL commands, potentially manipulating the backend database. The vulnerability does not require any privileges or user interaction, making it easily exploitable over the network. The impact includes unauthorized data disclosure, modification, or deletion, and possibly denial of service if the database is disrupted. Although no exploits have been reported in the wild, the public disclosure increases the risk of exploitation by attackers. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P) indicates network attack vector, low attack complexity, no privileges or user interaction needed, and partial impact on confidentiality, integrity, and availability. The vulnerability affects only version 1.0 of the product, and no official patches have been linked yet. The PHPGurukul Directory Management System is used primarily in South Asian markets, which may influence the geographic risk profile.

The SQL injection vulnerability allows attackers to execute arbitrary SQL commands on the backend database, potentially leading to unauthorized access to sensitive data, data corruption, or deletion. This compromises confidentiality, integrity, and availability of the system's data. Organizations using the affected software may face data breaches, loss of customer trust, regulatory penalties, and operational disruptions. Since the vulnerability is remotely exploitable without authentication or user interaction, it poses a significant risk of automated attacks and exploitation by opportunistic threat actors. The absence of known exploits in the wild currently limits immediate impact, but public disclosure increases the likelihood of future attacks. The impact is particularly critical for organizations relying on the directory system for sensitive or business-critical information management.

1. Immediately audit all instances of PHPGurukul Directory Management System version 1.0 for exposure of the vulnerable Search component. 2. Implement strict input validation on the 'searchdata' parameter, ensuring only expected characters and formats are accepted. 3. Refactor the code to use parameterized queries or prepared statements to prevent SQL injection. 4. Monitor network traffic and logs for suspicious queries or unusual database activity related to the search functionality. 5. If available, apply official patches or updates from PHPGurukul addressing this vulnerability as soon as they are released. 6. Employ web application firewalls (WAFs) with SQL injection detection rules tailored to the application's query patterns. 7. Conduct regular security assessments and penetration testing focusing on injection flaws. 8. Educate developers on secure coding practices to prevent similar vulnerabilities in future versions.