Description
A vulnerability was determined in PHPGurukul Online Course Registration System up to 3.1. This impacts an unknown function of the file /onlinecourse/admin/manage-students.php. This manipulation of the argument id/cid causes sql injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized.
Published: 2026-01-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote SQL Injection
Action: Patch Now
AI Analysis

Impact

A SQL injection flaw in the phpGurukul Online Course Registration System allows a remote attacker to manipulate the "id" or "cid" parameters in the manage-students.php page, enabling the injection of arbitrary SQL statements. This can compromise database integrity, reveal sensitive student information, and potentially allow the attacker to modify or delete data. The weakness maps to CWE-74 and CWE-89.

Affected Systems

The vulnerability is present in all releases of PHPGurukul’s Online Course Registration System up to and including version 3.1. Versions released after 3.1 do not contain this flaw unless the same vulnerable code remains in manage‑students.php.

Risk and Exploitability

CVSS base score 5.3 indicates moderate impact; the EPSS score is below 1%, suggesting a low current exploitation probability. The vulnerability is not yet listed in the CISA KEV catalog, but it is publicly disclosed, and the remote attack vector means anyone able to send HTTP requests can exploit it. The lack of an available patch reduces protection, so administrators should prioritize updating or hardening the affected endpoint promptly.

Generated by OpenCVE AI on April 18, 2026 at 16:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the PHPGurukul Online Course Registration System to the latest version (≥3.2) or apply the vendor’s patch that addresses the SQL injection in manage‑students.php.
  • If a patch is not available, restrict direct HTTP access to the /onlinecourse/admin/manage-students.php page to administrators only, using network filtering, IP whitelisting, or application-level authentication.
  • Employ input validation and use parameterized queries for all database interactions involving the id and cid parameters, or enable a web application firewall that blocks common SQL injection patterns.

Generated by OpenCVE AI on April 18, 2026 at 16:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 22 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:phpgurukul:online_course_registration_system:*:*:*:*:*:*:*:*

Fri, 09 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 09 Jan 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Phpgurukul
Phpgurukul online Course Registration System
Vendors & Products Phpgurukul
Phpgurukul online Course Registration System

Fri, 09 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in PHPGurukul Online Course Registration System up to 3.1. This impacts an unknown function of the file /onlinecourse/admin/manage-students.php. This manipulation of the argument cid causes sql injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. A vulnerability was determined in PHPGurukul Online Course Registration System up to 3.1. This impacts an unknown function of the file /onlinecourse/admin/manage-students.php. This manipulation of the argument id/cid causes sql injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized.
References

Thu, 08 Jan 2026 23:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in PHPGurukul Online Course Registration System up to 3.1. This impacts an unknown function of the file /onlinecourse/admin/manage-students.php. This manipulation of the argument cid causes sql injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized.
Title PHPGurukul Online Course Registration System manage-students.php sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Phpgurukul Online Course Registration System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T08:25:04.752Z

Reserved: 2026-01-08T15:32:32.701Z

Link: CVE-2026-0733

cve-icon Vulnrichment

Updated: 2026-01-09T16:21:58.417Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-09T00:15:45.497

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-0733

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T16:45:05Z

Weaknesses