SourceCodester Engineers Online Portal version 1.0 contains an unsanitized SQL injection flaw in the update_password.php script where the new_password parameter is directly concatenated into a database query. This weakness, identified as CWE-89, permits an attacker to modify the intended SQL statement and execute arbitrary commands against the underlying database. Successful exploitation could result in unauthorized reading, alteration, or deletion of sensitive data stored in the portal’s database, thereby compromising data integrity and confidentiality.

The affected product is Janobe’s SourceCodester Engineers Online Portal, version 1.0. The CPE confirms that only this exact version is vulnerable. No other vendors or product versions are listed in the CNA data, so administrators should verify that they are running this specific version and that update_password.php is hosted in their environment.

The CVSS score of 9.8 indicates a critical severity. EPSS is reported to be less than 1%, suggesting that while the flaw is severe, its exploitation probability is currently low, possibly due to limited public exposure or lack of known exploit code. The vulnerability does not appear in the CISA KEV catalog. Based on the description, it is inferred that the likely attack vector is a remote HTTP request to the password update endpoint. If an attacker can reach update_password.php, either as an authenticated user or, if the endpoint is publicly accessible, they could craft a malicious new_password value to inject arbitrary SQL statements, potentially gaining unauthorized data access or manipulating application data.