CVE-2026-5197 is an SQL injection vulnerability identified in version 1.0 of the code-projects Student Membership System, specifically within the /delete_user.php script. The vulnerability stems from improper handling of the 'ID' parameter, which is susceptible to malicious SQL code injection. This flaw allows remote attackers to manipulate SQL queries executed by the backend database without requiring authentication or user interaction. The vulnerability's CVSS 4.0 base score is 5.3 (medium severity), reflecting its network attack vector, low attack complexity, and no required privileges or user interaction, but limited impact on confidentiality, integrity, and availability. Exploiting this vulnerability could enable attackers to delete or modify user data, extract sensitive information, or disrupt database operations, depending on the database permissions and query context. The vulnerability affects only version 1.0 of the Student Membership System, a product likely used by educational institutions or organizations managing student memberships. No official patches have been released yet, and while no known exploits are active in the wild, the public availability of exploit code increases the risk of exploitation. The vulnerability highlights the need for secure coding practices, including input validation and use of parameterized queries to prevent SQL injection attacks.

The potential impact of CVE-2026-5197 includes unauthorized data manipulation or deletion, exposure of sensitive student or membership information, and disruption of system availability. Attackers exploiting this vulnerability could compromise the integrity of the membership database by deleting or altering user records, potentially leading to denial of service or data loss. Confidentiality could be partially impacted if attackers extract data through crafted SQL queries. Since the vulnerability requires no authentication and can be exploited remotely, it poses a significant risk to organizations using the affected software. Educational institutions and organizations managing student memberships could face operational disruptions, reputational damage, and regulatory compliance issues related to data breaches. The scope is limited to deployments of version 1.0 of the Student Membership System, but given the public exploit availability, the risk of widespread attacks is elevated until mitigations are applied.

To mitigate CVE-2026-5197, organizations should immediately audit and update the /delete_user.php code to implement proper input validation and sanitization for the 'ID' parameter. The use of parameterized queries or prepared statements is essential to prevent SQL injection. Restrict database user permissions to the minimum necessary, avoiding excessive privileges that could amplify the impact of an injection attack. If possible, upgrade to a patched version of the software once released by the vendor. In the interim, consider deploying web application firewalls (WAFs) with SQL injection detection rules to block malicious payloads targeting the vulnerable endpoint. Conduct thorough security testing, including static and dynamic code analysis, to identify and remediate similar injection flaws elsewhere in the application. Monitor logs for suspicious activity related to /delete_user.php and the 'ID' parameter to detect potential exploitation attempts. Educate developers on secure coding practices to prevent recurrence of such vulnerabilities.