Description
Sourcecodester Online Thesis Archiving System v1.0 is vulnerable to SQL injection in the file /otas/admin/curriculum/manage_curriculum.php.
Published: 2026-04-13
Score: 2.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Remote Web Application SQL Injection
Action: Patch/Restrict
AI Analysis

Impact

Sourcecodester Online Thesis Archiving System 1.0 contains a SQL injection flaw in the file /otas/admin/curriculum/manage_curriculum.php. The flaw allows an attacker to embed arbitrary SQL code into the input fields of the curriculum management form, which is then executed directly against the underlying database. This type of weakness, classified as CWE-89, can lead to leaking confidential thesis records, modifying or deleting data, and potentially compromising the integrity of the entire archive.

Affected Systems

The vulnerability is limited to the Sourcecodester Online Thesis Archiving System version 1.0, specifically the administrative page that handles curriculum data. No other vendors or product versions are listed in the official record. The flaw exists only in the manage_curriculum.php script exposed to administrative users.

Risk and Exploitability

The CVSS score of 2.7 and an EPSS score below 1% indicate that the risk and likelihood of exploitation are relatively low. The vulnerability is not part of the CISA KEV catalog. Exploitation would require access to the vulnerable admin page, which may demand authenticated admin credentials or direct web server reach. If successful, the attacker could execute arbitrary SQL statements, potentially gaining full read or modification capabilities over the thesis database.

Generated by OpenCVE AI on April 14, 2026 at 18:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the vendor’s website or repository for an updated version of Sourcecodester Online Thesis Archiving System that addresses this issue.
  • Limit access to the /otas/admin/curriculum/manage_curriculum.php endpoint by IP address, VPN, or strict authentication controls.
  • Refactor the curriculum management code to use prepared statements or parameterized queries, ensuring that all user input is properly validated before being included in SQL commands.

Generated by OpenCVE AI on April 14, 2026 at 18:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
Title SQL Injection in Sourcecodester Online Thesis Archiving System

Tue, 14 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Title SQL Injection in Sourcecodester Online Thesis Archiving System

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Sourcecodester
Sourcecodester online Thesis Archiving System
Vendors & Products Sourcecodester
Sourcecodester online Thesis Archiving System

Tue, 14 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
Metrics cvssV3_1

{'score': 2.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Description Sourcecodester Online Thesis Archiving System v1.0 is vulnerable to SQL injection in the file /otas/admin/curriculum/manage_curriculum.php.
References

Subscriptions

Sourcecodester Online Thesis Archiving System
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-14T15:31:59.960Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36952

cve-icon Vulnrichment

Updated: 2026-04-14T15:31:27.841Z

cve-icon NVD

Status : Deferred

Published: 2026-04-13T17:16:29.230

Modified: 2026-06-17T10:41:25.403

Link: CVE-2026-36952

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T15:45:07Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')