CVE-2026-3413 - Vulnerability Details

- itsourcecode University Management System admin_single_student.php sql injection

Description

A flaw has been found in itsourcecode University Management System 1.0. This vulnerability affects unknown code of the file /admin_single_student.php. This manipulation of the argument ID causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used.

Published: 2026-03-02

Score: 6.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw exists in version 1.0 of itsourcecode University Management System that permits an attacker to manipulate the ID parameter in the /admin_single_student.php file, resulting in an SQL injection. The vulnerability can be exploited remotely, allowing the execution of arbitrary SQL commands against the database. This can lead to data disclosure, modification, or loss, and based on typical consequences of SQL injection it is inferred that an attacker could potentially gain lateral movement within the system.

Affected Systems

The University Management System developed by itsourcecode, specifically version 1.0, is affected. The flaw was identified in the administration interface, targeting the single student record retrieval and manipulation feature.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate to high severity. Although the EPSS score is below 1%, the vulnerability has a published exploit and can be carried out remotely, raising the likelihood of real-world attacks. It is not included in the CISA Known Exploited Vulnerabilities catalog, but its exploit readiness warrants prompt attention. An attacker with network or web access to the application can drive the SQL injection by sending crafted requests to the ID parameter.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

itsourcecode

University Management System

affected

Version	Status	Constraints
`1.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:angeljudesuarez:university_management_system:1.0:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Itsourcecode

University Management System

100%

Version	Status	Scheme	Platform
`1.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Verify if a vendor‑supplied patch or update for version 1.0 of the University Management System is available and apply it.
Modify the code to use prepared statements or parameterized queries for all database interactions with user input, especially the ID field in admin_single_student.php.
Restrict remote access to the administration interface by implementing IP‑based firewall rules or VPN isolation, ensuring only trusted administrators can reach the vulnerable endpoint.

Generated by OpenCVE AI on April 18, 2026 at 10:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00015.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/JXBbozaihuang/vuln-research/issues/1
https://itsourcecode.com/
https://vuldb.com/?ctiid.348308
https://vuldb.com/?id.348308
https://vuldb.com/?submit.764004

History

Wed, 04 Mar 2026 11:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Itsourcecode Itsourcecode university Management System
Vendors & Products		Itsourcecode Itsourcecode university Management System

Tue, 03 Mar 2026 20:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Angeljudesuarez Angeljudesuarez university Management System
CPEs		cpe:2.3:a:angeljudesuarez:university_management_system:1.0:::::::*
Vendors & Products		Angeljudesuarez Angeljudesuarez university Management System

Mon, 02 Mar 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 02 Mar 2026 06:30:00 +0000

Type	Values Removed	Values Added
Description		A flaw has been found in itsourcecode University Management System 1.0. This vulnerability affects unknown code of the file /admin_single_student.php. This manipulation of the argument ID causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used.
Title		itsourcecode University Management System admin_single_student.php sql injection
Weaknesses		CWE-74 CWE-89
References		https://github.com/JXBbozaihuang/vuln-research/issues/1 https://itsourcecode.com/ https://vuldb.com/?ctiid.348308 https://vuldb.com/?id.348308 https://vuldb.com/?submit.764004
Metrics		cvssV2_0 `{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Angeljudesuarez University Management System

Itsourcecode University Management System

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-03-02T06:02:08.724Z

Updated: 2026-03-02T14:09:06.041Z

Reserved: 2026-03-01T09:42:47.906Z

Link: CVE-2026-3413

Vulnrichment

Updated: 2026-03-02T14:09:02.335Z

NVD

Status : Analyzed

Published: 2026-03-02T07:16:23.240

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-3413

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T10:15:25Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object