Description
A security vulnerability has been detected in halex CourseSEL up to 1.1.0. Affected by this vulnerability is the function check_sel of the file Apps/Index/Controller/IndexController.class.php of the component HTTP GET Parameter Handler. The manipulation of the argument seid leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-05
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Apply Patch
AI Analysis

Impact

A GET request that contains the parameter "seid" can be manipulated to inject arbitrary SQL statements. The vulnerability exists within the function responsible for handling course selections in the CourseSEL application. Attackers can alter the query logic, potentially reading, modifying, or deleting database records, which may compromise confidentiality, integrity, and availability of the educational data stored by the system.

Affected Systems

The flaw affects the CourseSEL product from the halex vendor, specifically versions up to and including 1.1.0. Any deployment of this software that relies on the default HTTP GET parameter handler without protection against injection is susceptible.

Risk and Exploitability

The vulnerability carries a CVSS score of 5.3, indicating moderate severity. Its EPSS score is not available, and it is not listed in the CISA KEV catalog, though the public disclosure confirms that exploitation scripts exist. The attack vector is remote through crafted web requests and does not require local access or elevated privileges, making the threat realistic for any exposed instance of the application.

Generated by OpenCVE AI on April 5, 2026 at 06:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify the installed CourseSEL version and determine if a newer release containing a fix is available.
  • If a patched version exists, upgrade immediately to eliminate the injection path.
  • In the absence of an official patch, implement input validation to restrict the "seid" parameter to numeric values only, and use prepared statements or parameterized queries to handle database interactions.
  • Apply network-level access controls to limit exposure of the CourseSEL instance to trusted hosts or VPN access.
  • Monitor web application logs for suspicious query patterns and perform regular vulnerability scans to detect signs of exploitation.

Generated by OpenCVE AI on April 5, 2026 at 06:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Halex
Halex coursesel
Vendors & Products Halex
Halex coursesel

Mon, 06 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 05 Apr 2026 04:30:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in halex CourseSEL up to 1.1.0. Affected by this vulnerability is the function check_sel of the file Apps/Index/Controller/IndexController.class.php of the component HTTP GET Parameter Handler. The manipulation of the argument seid leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title halex CourseSEL HTTP GET Parameter IndexController.class.php check_sel sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Halex Coursesel
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-06T17:59:07.405Z

Reserved: 2026-04-04T06:42:15.923Z

Link: CVE-2026-5537

cve-icon Vulnrichment

Updated: 2026-04-06T17:59:00.631Z

cve-icon NVD

Status : Deferred

Published: 2026-04-05T04:16:15.730

Modified: 2026-04-24T18:14:34.620

Link: CVE-2026-5537

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T21:57:17Z

Weaknesses