CVE-2026-7545: SourceCodester School Management SQLi Exposes Data

/HIGH /CVSS 7.3/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitysql-injectioncwe-74cwe-89
CVE-2026-7545: SourceCodester School Management SQLi Exposes Data

A critical SQL injection vulnerability, tracked as CVE-2026-7545, has been identified in SourceCodester Advanced School Management System version 1.0. The National Vulnerability Database reports that the flaw resides within an unspecified function in commonController.php, specifically the checkEmail endpoint.

This vulnerability, rated with a CVSS score of 7.3 (HIGH), allows for remote exploitation without authentication (AV:N/AC:L/PR:N/UI:N). Attackers can manipulate the checkEmail endpoint to inject malicious SQL queries, leading to potential data compromise. The exploit has been publicly disclosed, significantly increasing the risk of widespread exploitation.

Organizations using this system are at direct risk of unauthorized access to sensitive student and administrative data. The ease of exploitation and public availability of the exploit code make this a high-priority threat for any institution relying on SourceCodester Advanced School Management System 1.0.

What This Means For You

  • If your organization uses SourceCodester Advanced School Management System 1.0, you are exposed. This is a public exploit for a high-severity SQL injection. Your student and administrative data is vulnerable. Immediately assess your exposure and implement compensating controls or migrate to a more secure system. This is not a 'wait and see' situation.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1505.003 Server Software Component Initial Access T1189 Drive-by Compromise Initial Access

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-7545: SourceCodester School Management checkEmail SQL Injection

Sigma YAML — free preview 
title: CVE-2026-7545: SourceCodester School Management checkEmail SQL Injection
id: scw-2026-05-01-ai-1
status: experimental
level: critical
description: |
  Detects the specific SQL injection exploit targeting the checkEmail endpoint in SourceCodester Advanced School Management System 1.0 via the commonController.php file. This rule looks for the specific URI path and common SQL injection patterns within the query string, indicating an attempt to exploit CVE-2026-7545 for initial access.
author: SCW Feed Engine (AI-generated)
date: 2026-05-01
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-7545/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri: 
          - '/SourceCodester%20Advanced%20School%20Management%20System/admin/commonController.php'
      cs-uri-query|contains:
          - 'checkEmail'
          - "' OR '1'='1'"
          - "' UNION SELECT"
      cs-method: 
          - 'GET'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-7545 SQLi SourceCodester Advanced School Management System 1.0
CVE-2026-7545 SQLi commonController.php
CVE-2026-7545 SQLi checkEmail Endpoint

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 01, 2026 at 05:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

Totolink A8000RU Critical OS Command Injection (CVE-2026-7538)

CVE-2026-7538 — A vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function Vulnerability of the file /cgi-bin/cstecgi.cgi of the component CGI Handler....

vulnerabilityCVEcriticalhigh-severitycommand-injectioncwe-77cwe-78
/SCW Vulnerability Desk /CRITICAL /9.8 /⚑ 4 IOCs /⚙ 5 Sigma

CVE-2026-7536 — The Function Bsf_sess_add_by_ip_address Of The File /Nbsf-Ma Denial of Service

CVE-2026-7536 — A vulnerability was determined in Open5GS up to 2.7.7. This vulnerability affects the function bsf_sess_add_by_ip_address of the file /nbsf-management/v1/pcfBindings of the component BSF....

vulnerabilityCVEmedium-severitydenial-of-servicecwe-404
/SCW Vulnerability Desk /MEDIUM /5.3 /⚑ 2 IOCs /⚙ 1 Sigma

CVE-2026-7535 — Open5GS Denial of Service

CVE-2026-7535 — A vulnerability was found in Open5GS up to 2.7.7. This affects the function amf_namf_comm_handle_registration_status_update_request in the library /lib/app/ogs-init.c of the file /namf-comm/v1/ue-contexts/{ueContextId}/transfer-update. Performing...

vulnerabilityCVEmedium-severitydenial-of-servicecwe-404
/SCW Vulnerability Desk /MEDIUM /4.3 /⚑ 2 IOCs /⚙ 3 Sigma