CVE-2025-70152 PUBLISHED

Assigner: mitre
Reserved: 09.01.2026 Published: 18.02.2026 Updated: 18.02.2026

code-projects Community Project Scholars Tracking System 1.0 is vulnerable to SQL Injection in the admin user management endpoints /admin/save_user.php and /admin/update_user.php. These endpoints lack authentication checks and directly concatenate user-supplied POST parameters (firstname, lastname, username, password, user_id) into SQL queries without validation or parameterization.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:N/S:U/UI:N
CVSS Score: 9.8

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	n/a
Product	n/a
Versions	Version n/a is affected

References

https://code-projects.org/scholars-tracking-system-in-php-with-source-code/
https://youngkevinn.github.io/posts/CVE-2025-70152-Scholars-SQLi-Missing-Auth/

Problem Types

n/a text