Description
A SQL injection vulnerability was found in the scheduleSubList.php file of itsourcecode Online Student Enrollment System v1.0. The reason for this issue is that the 'subjcode' parameter is directly embedded into the SQL query via string interpolation without any sanitization or validation.
Published: 2026-04-10
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Data Compromise
Action: Patch Now
AI Analysis

Impact

A SQL injection flaw exists in the scheduleSubList.php component of the Online Student Enrollment System. The subject code parameter is inserted into an SQL statement without validation, allowing an attacker to craft malicious input that can execute arbitrary SQL commands. This could expose or alter sensitive student records, leading to confidentiality and integrity violations.

Affected Systems

The vulnerability affects the Online Student Enrollment System version 1.0, as identified by its CPE entry. No additional vendor or product context is available.

Risk and Exploitability

The CVSS score of 9.8 indicates a critical severity, while the EPSS score of less than 1% suggests the exploitation probability is low. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be remote, via a web client that can supply the subjcode parameter to the exposed PHP endpoint. Successful exploitation would likely require the ability to send crafted HTTP requests to the application, either by unauthenticated or authenticated users depending on access controls, which are not specified in the description.

Generated by OpenCVE AI on April 14, 2026 at 18:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a vendor patch or upgrade to a newer version of the Online Student Enrollment System that addresses the SQL injection.
  • If an official fix is unavailable, modify the scheduleSubList.php source to use parameterized queries or prepared statements for the subjcode parameter.
  • Sanitize user input by validating the subjcode value and removing SQL meta‑characters before use.
  • Restrict access to the affected script by requiring authentication or limiting IP addresses that can reach it.
  • Monitor web logs for patterns of injection attempts and block offending IPs if necessary.

Generated by OpenCVE AI on April 14, 2026 at 18:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Title SQL Injection in Online Student Enrollment System 1.0 Allows Arbitrary Database Access

Tue, 14 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:itsourcecode:online_student_enrollment_system:1.0:*:*:*:*:*:*:*

Tue, 14 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Title SQL Injection via Unvalidated subjcode Parameter in scheduleSubList.php of itsourcecode Online Student Enrollment System

Tue, 14 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Title SQL Injection via Unvalidated subjcode Parameter in scheduleSubList.php of itsourcecode Online Student Enrollment System
Weaknesses CWE-89

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Itsourcecode
Itsourcecode online Student Enrollment System
Vendors & Products Itsourcecode
Itsourcecode online Student Enrollment System

Fri, 10 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
Description A SQL injection vulnerability was found in the scheduleSubList.php file of itsourcecode Online Student Enrollment System v1.0. The reason for this issue is that the 'subjcode' parameter is directly embedded into the SQL query via string interpolation without any sanitization or validation.
References

Subscriptions

Itsourcecode Online Student Enrollment System
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-14T14:04:25.315Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36235

cve-icon Vulnrichment

Updated: 2026-04-14T14:04:12.420Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-10T15:16:25.077

Modified: 2026-04-14T17:40:30.570

Link: CVE-2026-36235

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:00:07Z

Weaknesses