Description
A security flaw has been discovered in itsourcecode School Management System 1.0. This affects an unknown part of the file /student/index.php. The manipulation of the argument ID results in sql injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks.
Published: 2026-01-01
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unrestricted SQL Injection allowing arbitrary database queries and potential data disclosure or modification.
Action: Immediate Patch
AI Analysis

Impact

The flaw exists in School Management System 1.0 within the student index module, where manipulating the ID parameter permits an attacker to inject SQL statements. This leads to unauthenticated read or write access to the underlying database, potentially exposing sensitive student information and allowing malicious alterations to records. The vulnerability is categorized as a classic SQL Injection (CWE‑89) combined with improper input handling (CWE‑74).

Affected Systems

This issue affects any installation of itsourcecode School Management System version 1.0. The vulnerability resides in the /student/index.php file, and no other versions or modules are indicated as affected.

Risk and Exploitability

The CVSS score of 6.9 reflects a medium severity impact, while the EPSS score of less than 1% suggests a low likelihood of active exploitation at present. The vulnerability is not listed in CISA’s KEV catalog, indicating no widespread public exploit activity is documented as of now. An attacker can remotely exploit the flaw by sending crafted requests to the ID parameter, provided the application is reachable over the network. No special privileges are required, and the exploit can be performed from any internet‑connected machine without authentication.

Generated by OpenCVE AI on April 18, 2026 at 08:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s latest patch or upgrade to a secure version of the School Management System.
  • Restrict the database account used by the application to a principle of least privilege, ensuring it only has access to the necessary tables and operations.
  • Implement server‑side input validation and sanitization for all user‑supplied parameters, particularly the ID field in /student/index.php.
  • Deploy a web application firewall to detect and block SQL injection attempts before they reach the application layer.

Generated by OpenCVE AI on April 18, 2026 at 08:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 08:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:itsourcecode:school_management_system:*:*:*:*:*:*:*:*

Tue, 06 Jan 2026 19:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:itsourcecode:school_management_system:1.0:*:*:*:*:*:*:*

Tue, 06 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 05 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Itsourcecode
Itsourcecode school Management System
Vendors & Products Itsourcecode
Itsourcecode school Management System

Thu, 01 Jan 2026 19:45:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in itsourcecode School Management System 1.0. This affects an unknown part of the file /student/index.php. The manipulation of the argument ID results in sql injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be exploited. A security flaw has been discovered in itsourcecode School Management System 1.0. This affects an unknown part of the file /student/index.php. The manipulation of the argument ID results in sql injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks.

Thu, 01 Jan 2026 09:15:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in itsourcecode School Management System 1.0. This affects an unknown part of the file /student/index.php. The manipulation of the argument ID results in sql injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be exploited.
Title itsourcecode School Management System index.php sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Itsourcecode School Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T08:03:13.934Z

Reserved: 2026-01-01T09:01:20.864Z

Link: CVE-2026-0544

cve-icon Vulnrichment

Updated: 2026-01-05T20:00:56.921Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-01T09:15:51.113

Modified: 2026-01-06T19:25:10.050

Link: CVE-2026-0544

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T08:45:41Z

Weaknesses