{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6595", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-19T10:53:14.875Z", "datePublished": "2026-04-20T02:00:49.226Z", "dateUpdated": "2026-04-20T02:00:49.226Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-20T02:00:49.226Z"}, "title": "ProjectsAndPrograms School Management System HTTP GET Parameter buslocation.php sql injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "SQL Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-74", "lang": "en", "description": "Injection"}]}], "affected": [{"vendor": "ProjectsAndPrograms", "product": "School Management System", "versions": [{"version": "6b6fae5426044f89c08d0dd101c7fa71f9042a59", "status": "affected"}], "modules": ["HTTP GET Parameter Handler"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in ProjectsAndPrograms School Management System up to 6b6fae5426044f89c08d0dd101c7fa71f9042a59. This vulnerability affects unknown code of the file buslocation.php of the component HTTP GET Parameter Handler. The manipulation of the argument bus_id leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-19T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-19T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-19T12:58:19.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "EthX0_ (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/358230", "name": "VDB-358230 | ProjectsAndPrograms School Management System HTTP GET Parameter buslocation.php sql injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/358230/cti", "name": "VDB-358230 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/791820", "name": "Submit #791820 | ProjectsAndPrograms school-management-system commit 6b6fae5 SQL Injection", "tags": ["third-party-advisory"]}, {"url": "https://tcn60zf28jhk.feishu.cn/wiki/MdHFw78Gmi1zbske8Ozc6XTjnIh?from=from_copylink", "tags": ["exploit"]}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in ProjectsAndPrograms School Management System up to 6b6fae5426044f89c08d0dd101c7fa71f9042a59. This vulnerability affects unknown code of the file buslocation.php of the component HTTP GET Parameter Handler. The manipulation of the argument bus_id leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way."}], "id": "CVE-2026-6595", "lastModified": "2026-04-20T03:16:16.777", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-20T03:16:16.777", "references": [{"source": "cna@vuldb.com", "url": "https://tcn60zf28jhk.feishu.cn/wiki/MdHFw78Gmi1zbske8Ozc6XTjnIh?from=from_copylink"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/791820"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/358230"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/358230/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "6b6fae5426044f89c08d0dd101c7fa71f9042a59"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "School Management System", "source": "cna", "vendor": "ProjectsAndPrograms"}, "product": "school_management_system", "vendor": "projectsandprograms"}], "analysis": {"en": {"generated_at": "2026-04-20T03:21:01.361267+00:00", "value": {"mitigation_remediation": ["Validate the bus_id parameter to accept only numeric values and reject any non\u2011numeric input", "Refactor the database query to use prepared statements or parameterized queries, eliminating direct string interpolation of user input", "Restrict access to buslocation.php to authenticated and authorized users, and monitor web logs for suspicious query activity"], "summary": {"action": "Assess", "impact": "Database Compromise"}, "threat_synthesis": {"affected_systems": "The affected product is ProjectsAndPrograms School Management System. The vulnerability applies to releases up to commit 6b6fae5426044f89c08d0dd101c7fa71f9042a59. Because the product follows a rolling release model, no specific version numbers are listed, and updated releases are not available at the time of disclosure.", "description_and_impact": "A SQL injection vulnerability exists in the ProjectsAndPrograms School Management System within the file buslocation.php, where the HTTP GET parameter bus_id is unconstrained and directly incorporated into database queries. Attacking this endpoint allows remote exploitation; the attacker can inject arbitrary SQL statements, potentially reading, modifying, or deleting database records. The flaw is publicly documented and exploitable without special credentials, presenting a threat to the confidentiality, integrity, and availability of the system\u2019s data.", "risk_and_exploitability": "The CVSS score of 6.9 classifies the flaw as moderate severity, and the lack of an EPSS score indicates no publicly available exploitation frequency data, though the exploit is documented as publicly available. The vulnerability is not listed in KEV, and the roll\u2011through nature of the product makes patching uncertain. The likely attack vector is a remote HTTP GET request to buslocation.php with a crafted bus_id value; an attacker with network access to the web application could exploit the flaw without authentication. Given these factors, the risk is moderate to high, particularly if sensitive data is stored in the database."}}}}, "created": "2026-04-20T03:30:41.818391+00:00", "updated": "2026-04-20T03:30:41.937649+00:00", "vendors": ["projectsandprograms", "projectsandprograms$PRODUCT$school_management_system"]}