CVE-2026-3149 - Vulnerability Details

- itsourcecode College Management System asign-single-student-subjects.php sql injection

Description

A weakness has been identified in itsourcecode College Management System 1.0. Affected by this issue is some unknown functionality of the file /admin/asign-single-student-subjects.php. Executing a manipulation of the argument course_code can lead to sql injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks.

Published: 2026-02-25

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in the ‘asign‑single‑student‑subjects.php’ file of itsourcecode College Management System allows an attacker to manipulate the course_code argument and inject arbitrary SQL. This injection can be performed remotely and is capable of exposing sensitive data, modifying database contents, and potentially retrieving credentials or other confidential information. The weakness is an uncontrolled input that returns a SQL query, enabling unauthorized read or write operations on the underlying database. The impact is confined to the database accessed by the application, but any attacker who gains this access could compromise the entire system’s data integrity and confidentiality.

Affected Systems

The vulnerability affects the College Management System by itsourcecode, version 1.0. No other versions are listed as impacted. The associated CPE indicates that the affected product is the College Management System.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity. The EPSS score of < 1% suggests that exploitation is currently considered unlikely, and the vulnerability is not listed in CISA’s KEV catalog. However, the thread notes that exploit code is publicly available, so a remote attacker could attempt to use the flaw if other mitigations are absent. The attack vector is remote via HTTP parameters, requiring network access to the admin interface. The low exploitation probability is offset by the potential damage if bypassed.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

itsourcecode

College Management System

affected

Version	Status	Constraints
`1.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:angeljudesuarez:college_management_system:1.0:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Itsourcecode

College Management System

100%

Version	Status	Scheme	Platform
`1.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to the latest version of itsourcecode College Management System once an official patch is released
Modify the application to use prepared statements or parameterized queries for all input that is used in SQL commands
Limit access to the admin files by IP whitelisting or strong authentication so that only trusted administrators can reach the assignment interface

Generated by OpenCVE AI on April 17, 2026 at 15:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00038.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/Zhangchao404/cve/issues/1
https://itsourcecode.com/
https://vuldb.com/?ctiid.347657
https://vuldb.com/?id.347657
https://vuldb.com/?submit.758828

History

Wed, 25 Feb 2026 18:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Angeljudesuarez Angeljudesuarez college Management System
CPEs		cpe:2.3:a:angeljudesuarez:college_management_system:1.0:::::::*
Vendors & Products		Angeljudesuarez Angeljudesuarez college Management System

Wed, 25 Feb 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 25 Feb 2026 12:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Itsourcecode Itsourcecode college Management System
Vendors & Products		Itsourcecode Itsourcecode college Management System

Wed, 25 Feb 2026 05:00:00 +0000

Type	Values Removed	Values Added
Description		A weakness has been identified in itsourcecode College Management System 1.0. Affected by this issue is some unknown functionality of the file /admin/asign-single-student-subjects.php. Executing a manipulation of the argument course_code can lead to sql injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks.
Title		itsourcecode College Management System asign-single-student-subjects.php sql injection
Weaknesses		CWE-74 CWE-89
References		https://github.com/Zhangchao404/cve/issues/1 https://itsourcecode.com/ https://vuldb.com/?ctiid.347657 https://vuldb.com/?id.347657 https://vuldb.com/?submit.758828
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Angeljudesuarez College Management System

Itsourcecode College Management System

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-02-25T04:02:18.965Z

Updated: 2026-02-25T15:10:12.905Z

Reserved: 2026-02-24T20:08:06.728Z

Link: CVE-2026-3149

Vulnrichment

Updated: 2026-02-25T15:10:05.860Z

NVD

Status : Analyzed

Published: 2026-02-25T05:17:28.793

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-3149

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T15:30:06Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object