CVE-2026-4235 - Vulnerability Details

Description

A weakness has been identified in itsourcecode Online Enrollment System 1.0. This issue affects some unknown processing of the file /sms/login.php. This manipulation of the argument user_email causes sql injection. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks.

Published: 2026-03-16

Score: 6.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the login.php process of itsourcecode's Online Enrollment System, where an unsanitized user_email argument is incorporated directly into SQL statements. This enables a remote attacker to inject malicious SQL, potentially reading, modifying, or deleting data, and thereby compromising confidentiality, integrity, and availability of the enrollment database.

Affected Systems

The affected product is itsourcecode Online Enrollment System version 1.0, specifically the /sms/login.php endpoint. Users deploying this version should verify whether their installation includes this processing mechanism.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, but it remains publicly exploitable. Attackers can carry out the exploitation remotely by sending a crafted request to the login page. Without a vendor patch, the risk persists for any system that remains on this vulnerable version.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

itsourcecode

Online Enrollment System

affected

Version	Status	Constraints
`1.0`	affected	—

No data.

Vendor Product Confidence Versions

Itsourcecode

Online Student Enrollment System

90%

Version	Status	Scheme	Platform
`1.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Contact itsourcecode to obtain a patch or an updated version of the Online Enrollment System that sanitizes the user_email input.
If a patch is unavailable, restrict direct access to /sms/login.php through firewall rules or IP whitelisting to limit exposure to trusted administrators.
Modify the application code to use parameterized queries or prepared statements for database access, ensuring that all user-supplied data is properly escaped.
Regularly review server and database logs for anomalous activity that may indicate attempted SQL injection attempts.

Generated by OpenCVE AI on March 22, 2026 at 14:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00039.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/yuji0903/silver-guide/issues/11
https://itsourcecode.com/
https://vuldb.com/?ctiid.351158
https://vuldb.com/?id.351158
https://vuldb.com/?submit.771240

History

Mon, 30 Mar 2026 08:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Itsourcecode Itsourcecode online Student Enrollment System
Vendors & Products		Itsourcecode Itsourcecode online Student Enrollment System

Mon, 16 Mar 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 16 Mar 2026 11:30:00 +0000

Type	Values Removed	Values Added
Description		A weakness has been identified in itsourcecode Online Enrollment System 1.0. This issue affects some unknown processing of the file /sms/login.php. This manipulation of the argument user_email causes sql injection. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks.
Title		itsourcecode Online Enrollment System login.php sql injection
Weaknesses		CWE-74 CWE-89
References		https://github.com/yuji0903/silver-guide/issues/11 https://itsourcecode.com/ https://vuldb.com/?ctiid.351158 https://vuldb.com/?id.351158 https://vuldb.com/?submit.771240
Metrics		cvssV2_0 `{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Itsourcecode Online Student Enrollment System

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-03-16T11:02:09.046Z

Updated: 2026-03-16T18:42:42.757Z

Reserved: 2026-03-15T18:53:43.530Z

Link: CVE-2026-4235

Vulnrichment

Updated: 2026-03-16T18:42:33.055Z

NVD

Status : Awaiting Analysis

Published: 2026-03-16T14:20:17.717

Modified: 2026-03-16T14:53:07.390

Link: CVE-2026-4235

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-30T08:00:27Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object