CVE-2026-2090 - Vulnerability Details

- SourceCodester Online Class Record System search.php sql injection

Description

A vulnerability was determined in SourceCodester Online Class Record System 1.0. This issue affects some unknown processing of the file /admin/message/search.php. Executing a manipulation of the argument term can lead to sql injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized.

Published: 2026-02-07

Score: 6.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A vulnerability was discovered in SourceCodester Online Class Record System 1.0 affecting the admin/message/search.php script. Manipulating the 'term' argument results in a SQL injection. This flaw allows an attacker to execute arbitrary SQL statements against the backend database, potentially exposing sensitive data, corrupting or deleting data, and compromising system availability. The weakness is a classic SQL injection (CWE‑89) and also involves improper command construction (CWE‑74).

Affected Systems

The affected product is SourceCodester Online Class Record System version 1.0. No other vendors or product versions were mentioned. The vulnerability is tied to the /admin/message/search.php endpoint of that system.

Risk and Exploitability

The CVSS score of 6.9 indicates a medium severity, and the EPSS score of <1% suggests a low likelihood of exploitation at present. The vulnerability is publicly disclosed and can be triggered remotely by sending a crafted 'term' request to the admin area. Based on the description, it is inferred that the attack may require administrative authentication or network access to the system, though the description does not specify authentication requirements. The vulnerability is not yet listed in the CISA KEV catalog.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

SourceCodester

Online Class Record System

affected

Version	Status	Constraints
`1.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:janobe:online_class_record_system:1.0:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Sourcecodester	Online Class Record System	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Online Class Record System to the latest version once the vendor releases a patch.
Modify the search.php handler to sanitize the 'term' input or use prepared statements to prevent SQL concatenation.
Restrict access to the /admin/message/search.php endpoint by enforcing authentication and applying firewall or web‑server access controls.

Generated by OpenCVE AI on April 18, 2026 at 13:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00037.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/xiaoccm07/cve/issues/3
https://vuldb.com/?ctiid.344657
https://vuldb.com/?id.344657
https://vuldb.com/?submit.746551
https://www.sourcecodester.com/

History

Tue, 10 Feb 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 10 Feb 2026 14:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Janobe Janobe online Class Record System
CPEs		cpe:2.3:a:janobe:online_class_record_system:1.0:::::::*
Vendors & Products		Janobe Janobe online Class Record System

Mon, 09 Feb 2026 11:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Sourcecodester Sourcecodester online Class Record System
Vendors & Products		Sourcecodester Sourcecodester online Class Record System

Sat, 07 Feb 2026 15:45:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was determined in SourceCodester Online Class Record System 1.0. This issue affects some unknown processing of the file /admin/message/search.php. Executing a manipulation of the argument term can lead to sql injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized.
Title		SourceCodester Online Class Record System search.php sql injection
Weaknesses		CWE-74 CWE-89
References		https://github.com/xiaoccm07/cve/issues/3 https://vuldb.com/?ctiid.344657 https://vuldb.com/?id.344657 https://vuldb.com/?submit.746551 https://www.sourcecodester.com/
Metrics		cvssV2_0 `{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Janobe Online Class Record System

Sourcecodester Online Class Record System

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-02-07T15:32:07.605Z

Updated: 2026-02-23T09:33:04.785Z

Reserved: 2026-02-06T08:25:40.592Z

Link: CVE-2026-2090

Vulnrichment

Updated: 2026-02-10T15:55:23.427Z

NVD

Status : Analyzed

Published: 2026-02-07T16:15:47.727

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-2090

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T13:30:45Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object