The vulnerability is an SQL Injection in the load_student.php endpoint of Basic Library System v1.0. The flaw allows an attacker to inject arbitrary SQL statements through unsanitized user‑supplied input, potentially retrieving, modifying, or deleting data from the underlying database. This weakness aligns with CWE‑89, where improper validation of SQL query parameters leads to unauthorized database access. The impact is the loss of data confidentiality, integrity, and availability, depending on the attacker’s goals, because credentials or library records could be exposed or altered.

Affected systems include the Sourcecodester Basic Library System open‑source application version 1.0. The vulnerability resides in the public web script /librarysystem/load_student.php. If the system is deployed in a production environment where the script is reachable, all users accessing this endpoint are at risk. No other versions or builds are listed as affected, but any deployment of 1.0 remains vulnerable until changes are made.

The CVSS score of 2.7 indicates a low severity, suggesting limited impact when restricted to a single user context. EPSS is below 1 %, implying low market exploitation likelihood. The vulnerability is not listed in the CISA KEV catalog, so no known active exploitation. However, the attack vector is inferred to be local or remote through web submission of crafted input; the description does not explicitly state the required conditions, so it is assumed the attacker can reach the endpoint via HTTP requests. With no public exploit code available, exploitation remains theoretically possible but not actively observed.