CVE-2026-2073 - Vulnerability Details

- itsourcecode School Management System index.php sql injection

Description

A vulnerability was determined in itsourcecode School Management System 1.0. This affects an unknown function of the file /ramonsys/user/index.php. Executing a manipulation of the argument ID can lead to sql injection. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized.

Published: 2026-02-07

Score: 6.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability in School Management System 1.0 allows an attacker to inject arbitrary SQL statements by manipulating an unvalidated ID parameter in an unknown function of /ramonsys/user/index.php. This is a classic SQL injection weakness (CWE‑74 and CWE‑89). The likely impact of a successful exploitation is that the attacker could read, modify or delete data in the application database, but the CVE does not state the exact range of compromise. The flaw can be triggered from a remote host without local privileges.

Affected Systems

School Management System 1.0 from itsourcecode is the only version specifically identified as affected. The vulnerability resides in file /ramonsys/user/index.php and applies to the CPE entries described for this product.

Risk and Exploitability

The CVSS v3 base score is 6.9, indicating moderate severity. The EPSS score of less than 1% suggests that automated exploitation is unlikely, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw by sending a crafted HTTP request containing a malicious ID value to the vulnerable endpoint from a remote location.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

itsourcecode

School Management System

affected

Version	Status	Constraints
`1.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:itsourcecode:school_management_system:1.0:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Itsourcecode	School Management System	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the vendor-provided fix or upgrade to a newer version of School Management System when an update becomes available.
Implement server‑side validation to accept only numeric values for the ID parameter, or refactor the code to use prepared statements or an ORM that parameterizes queries.
Deploy a Web Application Firewall or equivalent filtering solution to detect and block SQL‑injection patterns targeting the ID parameter.

Generated by OpenCVE AI on April 18, 2026 at 13:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00037.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/Sherlocksbs/CVE/issues/1
https://itsourcecode.com/
https://vuldb.com/?ctiid.344639
https://vuldb.com/?id.344639
https://vuldb.com/?submit.745482

History

Mon, 23 Feb 2026 09:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:itsourcecode:school_management_system::::::::

Thu, 12 Feb 2026 16:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:itsourcecode:school_management_system:1.0:::::::*

Tue, 10 Feb 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 09 Feb 2026 11:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Itsourcecode Itsourcecode school Management System
Vendors & Products		Itsourcecode Itsourcecode school Management System

Sat, 07 Feb 2026 04:00:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was determined in itsourcecode School Management System 1.0. This affects an unknown function of the file /ramonsys/user/index.php. Executing a manipulation of the argument ID can lead to sql injection. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized.
Title		itsourcecode School Management System index.php sql injection
Weaknesses		CWE-74 CWE-89
References		https://github.com/Sherlocksbs/CVE/issues/1 https://itsourcecode.com/ https://vuldb.com/?ctiid.344639 https://vuldb.com/?id.344639 https://vuldb.com/?submit.745482
Metrics		cvssV2_0 `{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Itsourcecode School Management System

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-02-07T03:32:07.333Z

Updated: 2026-02-23T09:29:14.617Z

Reserved: 2026-02-06T07:43:23.854Z

Link: CVE-2026-2073

Vulnrichment

Updated: 2026-02-10T15:23:42.441Z

NVD

Status : Analyzed

Published: 2026-02-07T04:15:54.083

Modified: 2026-02-12T16:24:08.137

Link: CVE-2026-2073

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T13:30:45Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object