EIP-2026-112280

PRE-CVE

SOA School Management - 'access_login' SQL Injection

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-112280. PoCs published by L0RD.

AI-analyzed exploit summary The exploit demonstrates an error-based SQL injection vulnerability in the 'access_login' parameter of the SOA School Management Software. It provides specific payloads using MySQL functions like extractvalue() and updatexml() to trigger XPATH errors, leaking database information such as user and version details.

Description

SOA School Management - 'access_login' SQL Injection

Exploits (1)

exploitdb WORKING POC

by L0RD · textwebappsphp

https://www.exploit-db.com/exploits/44037

View Code ZIP pw:eip

The exploit demonstrates an error-based SQL injection vulnerability in the 'access_login' parameter of the SOA School Management Software. It provides specific payloads using MySQL functions like extractvalue() and updatexml() to trigger XPATH errors, leaking database information such as user and version details.

Classification

Working Poc 90%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: SOA - School Management Software with Integrated Parents/Students Portal & Mobile App (All versions)

No auth needed

Prerequisites: Access to the login page of the target application

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026