CVE-2026-0803 - Vulnerability Details

- PHPGurukul Online Course Registration System enroll.php sql injection

Description

A vulnerability was found in PHPGurukul Online Course Registration System up to 3.1. This affects an unknown part of the file /enroll.php. The manipulation of the argument studentregno/Pincode/session/department/level/course/sem results in sql injection. The attack may be launched remotely. The exploit has been made public and could be used.

Published: 2026-01-09

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw exists in the PHPGurukul Online Course Registration System in the file /enroll.php that allows an attacker to manipulate the request arguments—studentregno, Pincode, session, department, level, course, and sem—to inject arbitrary SQL statements. The injection can be triggered remotely by sending a crafted HTTP request to the vulnerable endpoint. Once exploited, the attacker can read, modify, or delete database records, potentially exposing sensitive student information or compromising the integrity of the registration system.

Affected Systems

The vulnerability affects PHPGurukul’s Online Course Registration System versions up to and including 3.1. No later versions are mentioned as receiving the fix. System administrators should verify whether their deployment is within the affected release range.

Risk and Exploitability

With a CVSS score of 5.3, this issue falls into the medium severity range. The EPSS score is below 1 % indicating a low probability of exploitation under current data. The vulnerability is not listed in the CISA KEV catalog. Although the attack vector is remote, it requires only that the attacker is able to send HTTP requests to the vulnerable server, making the exposure significant for publicly reachable installations. Successful injection could lead to data leakage or unauthorized data manipulation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

PHPGurukul

Online Course Registration System

affected

Version	Status	Constraints
`3.0`	affected	—
`3.1`	affected	—

Configuration 1 [-]

cpe:2.3:a:phpgurukul:online_course_registration_system:*:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Phpgurukul	Online Course Registration System	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Check with the vendor for a patch or newer release that addresses the SQL injection in enroll.php.
Implement input validation and switch to parameterized SQL queries for all request parameters handled by enroll.php to eliminate injection risk.
Configure firewall or web access controls to restrict who can reach the enrollment endpoint, limiting the attack surface to trusted internal networks only.

Generated by OpenCVE AI on April 18, 2026 at 07:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://note-hxlab.wetolink.com/share/qX132pk8Wofk
https://phpgurukul.com/
https://vuldb.com/?ctiid.340255
https://vuldb.com/?id.340255
https://vuldb.com/?submit.733344

History

Thu, 22 Jan 2026 16:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:phpgurukul:online_course_registration_system::::::::

Mon, 12 Jan 2026 14:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Phpgurukul Phpgurukul online Course Registration System
Vendors & Products		Phpgurukul Phpgurukul online Course Registration System

Fri, 09 Jan 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 09 Jan 2026 15:45:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was found in PHPGurukul Online Course Registration System up to 3.1. This affects an unknown part of the file /enroll.php. The manipulation of the argument studentregno/Pincode/session/department/level/course/sem results in sql injection. The attack may be launched remotely. The exploit has been made public and could be used.
Title		PHPGurukul Online Course Registration System enroll.php sql injection
Weaknesses		CWE-74 CWE-89
References		https://note-hxlab.wetolink.com/share/qX132pk8Wofk https://phpgurukul.com/ https://vuldb.com/?ctiid.340255 https://vuldb.com/?id.340255 https://vuldb.com/?submit.733344
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Phpgurukul Online Course Registration System

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-01-09T15:32:09.036Z

Updated: 2026-02-23T08:25:26.551Z

Reserved: 2026-01-09T09:41:52.701Z

Link: CVE-2026-0803

Vulnrichment

Updated: 2026-01-09T16:24:19.580Z

NVD

Status : Analyzed

Published: 2026-01-09T16:16:07.840

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-0803

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T07:30:36Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object