Description
A SQL injection vulnerability was found in the assignInstructorSubjects.php file of itsourcecode Online Student Enrollment System v1.0. The reason for this issue is that attackers can inject malicious code via the parameter "subjcode" and use it directly in SQL queries without the need for appropriate cleaning or validation.
Published: 2026-04-10
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Confidentiality Breach
Action: Patch Immediately
AI Analysis

Impact

The assignInstructorSubjects.php script in the Online Student Enrollment System v1.0 contains a SQL injection flaw. The 'subjcode' parameter is inserted directly into an SQL query without sanitization, giving an attacker the ability to inject arbitrary SQL statements. This weakness can lead to unauthorized reading, modification, or deletion of enrollment data, exposing sensitive student records and potentially compromising the integrity and confidentiality of the database.

Affected Systems

The vulnerability affects the Online Student Enrollment System, version 1.0, as identified by the CPE string. No vendor was specified; the product appears to be a lightweight open‑source application. Because the affected file is part of the web application, the flaw resides in a publicly exposed endpoint.

Risk and Exploitability

The CVSS score of 9.8 indicates a critical impact, while the EPSS score of less than 1% suggests the risk of current exploitation is low. The system is not listed in CISA's KEV catalog, implying no widespread attacks have been reported yet. The attack vector is likely remote via HTTP requests to assignInstructorSubjects.php, but this is inferred from the description; no authentication requirement was explicitly stated.

Generated by OpenCVE AI on April 14, 2026 at 18:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s patch or upgrade to a version where the SQL injection is fixed.
  • If no update is available, modify the assignInstructorSubjects.php code to use parameterized queries or prepared statements for the subjcode input.
  • Monitor web server logs for suspicious SQL patterns or repeated attempts to access assignInstructorSubjects.php.

Generated by OpenCVE AI on April 14, 2026 at 18:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Title SQL Injection in Online Student Enrollment System Allowing Arbitrary Database Access

Tue, 14 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:itsourcecode:online_student_enrollment_system:1.0:*:*:*:*:*:*:*

Tue, 14 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Title SQL Injection in assignInstructorSubjects.php of Online Student Enrollment System v1.0
Weaknesses CWE-20

Tue, 14 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Title SQL Injection in assignInstructorSubjects.php of Online Student Enrollment System v1.0
Weaknesses CWE-20
CWE-89

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Itsourcecode
Itsourcecode online Student Enrollment System
Vendors & Products Itsourcecode
Itsourcecode online Student Enrollment System

Fri, 10 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description A SQL injection vulnerability was found in the assignInstructorSubjects.php file of itsourcecode Online Student Enrollment System v1.0. The reason for this issue is that attackers can inject malicious code via the parameter "subjcode" and use it directly in SQL queries without the need for appropriate cleaning or validation.
References

Subscriptions

Itsourcecode Online Student Enrollment System
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-14T14:19:38.512Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36233

cve-icon Vulnrichment

Updated: 2026-04-14T14:19:00.756Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-10T15:16:24.820

Modified: 2026-04-14T17:40:18.760

Link: CVE-2026-36233

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:00:07Z

Weaknesses