CVE-2026-3149
Received Received - Intake
SQL Injection in itsourcecode College Management System Admin Module

Publication date: 2026-02-25

Last updated on: 2026-04-29

Assigner: VulDB

Description
A weakness has been identified in itsourcecode College Management System 1.0. Affected by this issue is some unknown functionality of the file /admin/asign-single-student-subjects.php. Executing a manipulation of the argument course_code can lead to sql injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-25
Last Modified
2026-04-29
Generated
2026-05-06
AI Q&A
2026-02-25
EPSS Evaluated
2026-05-05
NVD
CVE-2026-3149
EUVD
EUVD-2026-8619
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
angeljudesuarez college_management_system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :

Exploitation of this vulnerability can lead to unauthorized database access, leakage of sensitive data, data tampering, full system control by attackers, and potential disruption of services.

This severely compromises the confidentiality, integrity, and availability of the affected system, threatening business continuity and security.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


Can you explain this vulnerability to me?

[{'type': 'paragraph', 'content': "CVE-2026-3149 is a SQL injection vulnerability in the itsourcecode College Management System version 1.0, specifically in the file /admin/asign-single-student-subjects.php. The vulnerability occurs because the application does not properly sanitize or validate the 'course_code' parameter, allowing an attacker to inject malicious SQL commands."}, {'type': 'paragraph', 'content': 'This flaw corresponds to CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) and can be exploited remotely, sometimes even without authentication. Exploits include time-based blind SQL injection and UNION-based queries to extract data.'}] [1, 2, 3]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': "This SQL injection vulnerability can be detected by testing the 'course_code' POST parameter in the /admin/asign-single-student-subjects.php file for injection flaws."}, {'type': 'paragraph', 'content': "One method is to use SQL injection testing tools such as sqlmap targeting the 'course_code' parameter with a valid PHP session cookie to simulate authenticated access."}, {'type': 'list_item', 'content': 'Example sqlmap command: sqlmap -u "http://target/admin/asign-single-student-subjects.php" --data="course_code=Select Course" --cookie="PHPSESSID=your_session_id" --risk=3 --level=5'}, {'type': 'list_item', 'content': "Manual testing can include injecting payloads such as time-based blind SQL injection: course_code=Select Course' AND (SELECT SLEEP(5)) AND 'OIgG'='OIgG"}, {'type': 'list_item', 'content': "Another manual payload example is UNION-based injection: course_code=Select Course' UNION ALL SELECT CONCAT(0x7171716271,0x417054464b6169474662664f4855784e42456362574d48476f7a64597073536d797a664c7865654e,0x71626b6a71),NULL,NULL,NULL,NULL-- -"}, {'type': 'paragraph', 'content': 'Additionally, attackers can identify vulnerable targets using Google dorking with queries like: inurl:admin/asign-single-student-subjects.php'}] [1, 2]


What immediate steps should I take to mitigate this vulnerability?

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include implementing prepared statements with parameter binding to prevent SQL injection by separating SQL code from user input.'}, {'type': 'paragraph', 'content': "Strict input validation and filtering should be applied to the 'course_code' parameter to ensure it conforms to expected formats, such as numeric or predefined patterns."}, {'type': 'paragraph', 'content': 'Minimize database user permissions by avoiding the use of high-privilege accounts for routine database operations.'}, {'type': 'paragraph', 'content': 'Conduct regular security audits and code reviews to detect and remediate vulnerabilities promptly.'}, {'type': 'paragraph', 'content': 'If possible, replace the affected component or upgrade to a version without this vulnerability.'}] [1, 2]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart