CVE-2026-5198 identifies a SQL injection vulnerability in the code-projects Student Membership System version 1.0. The vulnerability is located in the /admin/index.php file, specifically within the Admin Login component, where the username and password parameters are not properly sanitized or validated. This allows an unauthenticated remote attacker to inject arbitrary SQL commands by manipulating these input fields. Exploitation does not require user interaction or privileges, making it remotely exploitable over the network. The vulnerability can lead to unauthorized disclosure, modification, or deletion of sensitive data stored in the backend database, potentially compromising the entire membership system. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and partial impacts on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). Although no active exploits have been reported, the public disclosure increases the likelihood of future attacks. The absence of patches or official fixes at the time of reporting necessitates immediate mitigation efforts by administrators.

The SQL injection vulnerability in the Student Membership System can have significant impacts on organizations using this software. Attackers can remotely execute arbitrary SQL commands, potentially leading to unauthorized access to sensitive student and membership data, including personal information and credentials. Data integrity may be compromised through unauthorized modifications or deletions, disrupting system operations and trustworthiness. Availability could also be affected if attackers execute destructive queries or cause database corruption. Given the administrative context of the vulnerable component, attackers might gain elevated access or pivot to other parts of the system. The medium CVSS score reflects moderate risk; however, the ease of remote exploitation without authentication increases the threat level. Organizations relying on this system for managing student memberships, especially educational institutions, face risks of data breaches, regulatory non-compliance, reputational damage, and operational disruptions.

To mitigate CVE-2026-5198, organizations should first check for any official patches or updates from the vendor and apply them promptly once available. In the absence of patches, immediate steps include implementing Web Application Firewall (WAF) rules to detect and block SQL injection patterns targeting the /admin/index.php endpoint, particularly on username and password parameters. Input validation and sanitization should be enforced at the application level, ensuring that all user-supplied data is properly escaped or parameterized before database queries. Restricting access to the admin interface by IP whitelisting or VPN-only access can reduce exposure. Database accounts used by the application should have the least privileges necessary to limit the impact of any injection. Regularly monitoring logs for suspicious query patterns and failed login attempts can help detect exploitation attempts early. Finally, organizations should conduct security assessments and code reviews to identify and remediate similar vulnerabilities proactively.