SQL Injection Vulnerability in Yash Pokharna Student Management System
CVE-2026-9470

6.9MEDIUM

Key Information:

Vendor

YasHPokharna2555

Status
Studentmanagementsystem
Vendor
CVE Published:
25 May 2026

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2026-9470?

A security vulnerability has been identified in the Yash Pokharna Student Management System that affects the remote login function. This flaw arises from insufficient input validation in the confirm_logged_in function of student_trans.php. Attackers can exploit this vulnerability by manipulating input parameters such as FIRST_NAME, Last_Name, or EMAIL, potentially allowing unauthorized access to sensitive database information through SQL injection. The issue was reported to the development team but remains unresolved, putting users at risk. Given the rolling release model of the product, detailed information regarding other affected versions is not publicly available.

Affected Version(s)

StudentManagementSystem cb2f558ddf8d19396de0f92abf2d224d46a0a203

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-9470 - Proof of Concept

References

https://vuldb.com/vuln/365451
vdb-entrytechnical-description
https://vuldb.com/vuln/365451/cti
signaturepermissions-required
https://vuldb.com/submit/814001
third-party-advisory

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Levis1 (VulDB User)
VulDB CNA Team
.