Likelihood: LOW
Impact: MODERATE
Treatment: MITIGATE
Confidence: Moderate
Likelihood is low because CVE-2026-10110 affects only code-projects Student Details Management System 1.0, a narrow-deployment hobbyist/academic application with no confirmed in-the-wild exploitation and no KEV listing, though a public exploit does exist and lowers attacker effort for any exposed instance. Impact is moderate because successful exploitation yields full unauthenticated read/write/delete access to student PII databases, creating regulatory notification exposure and operational disruption for affected institutions, but the contained deployment base limits organizational scale of harm.
Treatment rationale: A public exploit against an unauthenticated SQL injection endpoint holding student PII creates a concrete, addressable attack surface that justifies prompt remediation — patching, input validation enforcement, or application replacement — rather than passive acceptance or cost transfer alone.
Third-Party / Supply-Chain Risk
If the Student Details Management System 1.0 is deployed by an institution via a third-party hosting provider, managed service partner, or shared academic platform, the SQL injection exposure extends to that provider's infrastructure and any co-tenanted data; institutions should confirm with their hosting or SIS integration partners whether the application is in their environment (NIST SP 800-161 Tier 2/3 supplier exposure).
Loss Exposure (illustrative)
Magnitude: Low to moderate — illustrative $25K–$250K per affected institution, driven primarily by breach notification, regulatory response, and records remediation costs rather than large-scale financial loss
Frequency: For an institution with this application internet-exposed and a public exploit available, opportunistic exploitation within a 12-month window is plausible but not certain given the application's narrow deployment base; illustrative frequency: less than once per year per exposed deployment
Annualized: Illustrative ALE: $10K–$75K per exposed institutional deployment annually, weighted by low probability of targeting against moderate per-event cost
Basis: Magnitude derived from: small student-record database scope (limiting data-breach notification volume), absence of confirmed financial or payment data (reducing fraud loss tier), and primary cost drivers being notification, IT remediation, and potential regulatory inquiry. Frequency derived from: public exploit availability increasing opportunistic risk, offset by extremely narrow deployment base reducing attacker targeting incentive. No third-party loss reports cited.
Illustrative estimate — not actuarially derived.
Insurance / Contractual / Legal — Potential Obligations
Potential triggers, not legal determinations. Verify with counsel/broker before acting.
• Unauthorized access to student PII may invoke state or federal student-privacy breach-notification obligations — verify with counsel.
• PII exposure from an unpatched known vulnerability may implicate cyber-insurance policy conditions regarding reasonable security controls — verify with broker.
• Institutions subject to FERPA or equivalent student-data protection frameworks may have contractual data-handling obligations with their hosting or software vendors that this vulnerability implicates — verify with counsel.
