CVE-2026-2171 identifies a SQL injection vulnerability in the Online Student Management System version 1.0 developed by code-projects. The vulnerability resides in an unspecified function within the accounts.php file of the Login component. Attackers can remotely exploit this flaw by manipulating the username or password parameters, which are not properly sanitized or parameterized, allowing injection of malicious SQL code. This enables unauthorized access to the backend database, potentially exposing sensitive student and administrative data or allowing modification or deletion of records. The vulnerability requires no authentication or user interaction, increasing its risk profile. The CVSS 4.0 base score is 6.9 (medium severity), reflecting network attack vector, low complexity, no privileges or user interaction required, and limited impact on confidentiality, integrity, and availability. Although no known exploits are currently active in the wild, the public disclosure of exploit code increases the likelihood of exploitation. The absence of official patches or updates necessitates immediate mitigation efforts by users of this software. The vulnerability is critical for organizations relying on this system for managing student data, as exploitation could lead to data breaches, disruption of services, and reputational damage.

For European organizations, particularly educational institutions using the affected Online Student Management System 1.0, this vulnerability poses a significant risk to the confidentiality and integrity of student and administrative data. Exploitation could lead to unauthorized disclosure of personal information, manipulation of academic records, or denial of service through database corruption. This could result in regulatory non-compliance under GDPR due to exposure of personal data, legal liabilities, and loss of trust among students and staff. The availability of the system could also be impacted if attackers modify or delete critical data. Given the remote exploitability without authentication, attackers could target multiple institutions en masse. The impact is heightened in countries with extensive digitalization of education services and where this software is deployed widely. Additionally, disruption in educational services could have broader societal implications, especially during critical academic periods.

Organizations should immediately audit their use of the code-projects Online Student Management System version 1.0 and isolate affected instances. Since no official patches are currently available, implement the following mitigations: 1) Apply strict input validation and sanitization on all user-supplied data, particularly username and password fields. 2) Refactor the login component to use parameterized queries or prepared statements to prevent SQL injection. 3) Employ Web Application Firewalls (WAFs) with rules targeting SQL injection patterns to block exploitation attempts. 4) Monitor logs for suspicious login attempts or unusual database queries. 5) Restrict database user permissions to the minimum necessary to limit damage if exploited. 6) Consider migrating to a more secure and actively maintained student management system. 7) Educate IT staff on the vulnerability and response procedures. 8) Prepare incident response plans in case of exploitation. These steps will reduce the attack surface and mitigate potential damage until an official patch is released.