Description
Sourcecodester Online Thesis Archiving System v1.0 is vulnerable to SQL injection in /otas/projects_per_department.php.
Published: 2026-04-13
Score: 2.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Assess Impact
AI Analysis

Impact

The vulnerability resides in the /otas/projects_per_department.php script of the Sourcecodester Online Thesis Archiving System v1.0. Unsanitized user input may be injected directly into SQL statements, allowing an attacker to execute arbitrary SQL queries against the application’s database. The primary impact of this flaw would be the unauthorized manipulation or disclosure of data stored in the database; this is inferred from the nature of SQL injection as the description itself does not detail specific consequences.

Affected Systems

The affected product is Sourcecodester Online Thesis Archiving System version 1.0, a PHP‑based web application used for archiving academic theses. No vendor information beyond the generic product name is provided.

Risk and Exploitability

The CVSS v3.1 score of 2.7 indicates a low overall severity, and the EPSS score of less than 1% points to a low likelihood of exploitation in the wild. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog. The attack vector is presumed to be remote through HTTP requests to the vulnerable page; the requirement of authentication is not specified, but it is inferred that manipulation could be performed without special privileges based on the file path exposed in the URL.

Generated by OpenCVE AI on April 14, 2026 at 18:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check for a vendor patch that fixes the SQL injection in /otas/projects_per_department.php and apply it immediately if available.
  • In the absence of a patch, refactor the script to use prepared statements or parameterized queries and validate all user input before including it in SQL commands.
  • Perform a comprehensive review of the application’s code to identify and remediate other potential injection points.
  • Configure a web application firewall to detect and block suspicious SQL syntax, and monitor logs for anomalous database activity.

Generated by OpenCVE AI on April 14, 2026 at 18:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
Title SQL Injection in Online Thesis Archiving System v1.0

Tue, 14 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Title SQL Injection in Online Thesis Archiving System v1.0

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Sourcecodester
Sourcecodester online Thesis Archiving System
Vendors & Products Sourcecodester
Sourcecodester online Thesis Archiving System

Tue, 14 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
Metrics cvssV3_1

{'score': 2.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Description Sourcecodester Online Thesis Archiving System v1.0 is vulnerable to SQL injection in /otas/projects_per_department.php.
References

Subscriptions

Sourcecodester Online Thesis Archiving System
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-14T15:31:40.795Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36950

cve-icon Vulnrichment

Updated: 2026-04-14T15:31:26.772Z

cve-icon NVD

Status : Deferred

Published: 2026-04-13T17:16:29.110

Modified: 2026-06-17T10:41:25.257

Link: CVE-2026-36950

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T15:45:07Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')