Description
A security vulnerability has been detected in itsourcecode School Management System 1.0. This issue affects some unknown processing of the file /enrollment/index.php. Such manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. Due to contradicting product definitions in the original disclosure, this CVE was initially incorrectly assigned to the Student Management System.
Published: 2026-01-30
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote SQL Injection with database compromise
Action: Patch Upgrade
AI Analysis

Impact

A vulnerable path in the enrollment/index.php page of itsourcecode School Management System 1.0 allows the manipulation of an ID argument to inject SQL statements. The flaw arises from inadequate input validation and results in remote execution of arbitrary database commands, granting an attacker read, modify, or delete access to the underlying database. The impact is thus a potential loss of confidentiality, integrity, and availability of the system’s data.

Affected Systems

The affected product is itsourcecode School Management System, version 1.0. No other versions are listed as affected, and the vulnerability is linked to the /enrollment/index.php handling of an ID parameter.

Risk and Exploitability

The CVSS score is 6.9, indicating a high impact and medium complexity. The EPSS score is less than 1 %, reflecting a low likelihood of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. The threat vector is remote, as the injection can be triggered from outside the site without additional privileges. Attackers could exploit this flaw to extract or corrupt sensitive information stored in the database.

Generated by OpenCVE AI on April 18, 2026 at 01:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑released update that fixes input validation in enrollment/index.php.
  • If no update is available, restrict external access to enrollment/index.php and configure the database account used by the application with the minimum privileges required, such as read‑only for operations that do not need write access.
  • Modify the application code to use parameterized queries or explicitly cast the ID parameter to an integer before incorporating it into SQL statements.

Generated by OpenCVE AI on April 18, 2026 at 01:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 09:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:itsourcecode:school_management_system:*:*:*:*:*:*:*:*

Wed, 18 Feb 2026 06:00:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in itsourcecode Student Management System 1.0. This issue affects some unknown processing of the file /enrollment/index.php. Such manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. A security vulnerability has been detected in itsourcecode School Management System 1.0. This issue affects some unknown processing of the file /enrollment/index.php. Such manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. Due to contradicting product definitions in the original disclosure, this CVE was initially incorrectly assigned to the Student Management System.
Title itsourcecode Student Management System index.php sql injection itsourcecode School Management System index.php sql injection

Fri, 13 Feb 2026 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Itsourcecode school Management System
CPEs cpe:2.3:a:itsourcecode:student_management_system:1.0:*:*:*:*:*:*:* cpe:2.3:a:itsourcecode:school_management_system:1.0:*:*:*:*:*:*:*
Vendors & Products Itsourcecode school Management System

Tue, 10 Feb 2026 14:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:itsourcecode:student_management_system:1.0:*:*:*:*:*:*:*

Tue, 03 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Itsourcecode
Itsourcecode student Management System
Vendors & Products Itsourcecode
Itsourcecode student Management System

Fri, 30 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 30 Jan 2026 17:45:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in itsourcecode Student Management System 1.0. This issue affects some unknown processing of the file /enrollment/index.php. Such manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used.
Title itsourcecode Student Management System index.php sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Itsourcecode School Management System Student Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T09:10:49.982Z

Reserved: 2026-01-30T10:51:13.325Z

Link: CVE-2026-1701

cve-icon Vulnrichment

Updated: 2026-01-30T19:27:20.481Z

cve-icon NVD

Status : Modified

Published: 2026-01-30T18:15:59.727

Modified: 2026-02-18T06:16:34.687

Link: CVE-2026-1701

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T01:15:05Z

Weaknesses