CVE-2026-4485
Received Received - Intake
SQL Injection in itsourcecode College Management System Admin Module

Publication date: 2026-03-20

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability has been found in itsourcecode College Management System 1.0. The impacted element is an unknown function of the file /admin/search_student.php. The manipulation of the argument Search leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-04-29
Generated
2026-05-07
AI Q&A
2026-03-20
EPSS Evaluated
2026-05-05
NVD
CVE-2026-4485
EUVD
EUVD-2026-13700
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
itsourcecode college_management_system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

[{'type': 'paragraph', 'content': 'CVE-2026-4485 is a critical SQL injection vulnerability found in the College Management System version 1.0, specifically in the "/admin/search_student.php" file. The vulnerability occurs because the application does not properly sanitize or validate the \'search\' parameter used in SQL queries after user authentication.'}, {'type': 'paragraph', 'content': 'Attackers who have valid credentials can inject malicious SQL code through this parameter, which allows unauthorized access to the database, leakage of sensitive data, data tampering, full system control, and potential disruption of services.'}, {'type': 'paragraph', 'content': 'Two main types of attacks demonstrated include time-based blind SQL injection, which causes delays in database responses to confirm injection capability, and UNION-based SQL injection, which attempts to extract database information.'}] [1]


How can this vulnerability impact me? :

This vulnerability can have severe impacts including unauthorized access to sensitive student and system data, data leakage, and data tampering.

Attackers can gain full control over the system, potentially disrupting services and compromising the integrity and availability of the College Management System.

Since exploitation requires valid credentials, insider threats or compromised accounts pose a significant risk.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': "This SQL injection vulnerability can be detected by testing the 'search' parameter in the /admin/search_student.php endpoint for injection flaws. One method is to use time-based blind SQL injection payloads that cause a delay in the database response, confirming injection capability."}, {'type': 'list_item', 'content': "Example time-based blind SQL injection payload: search=1' AND (SELECT 5817 FROM (SELECT(SLEEP(5)))KPjT) AND 'tFvH'='tFvH&btnSearch=Search"}, {'type': 'list_item', 'content': "Example UNION-based SQL injection payload to extract data: search=1' UNION ALL SELECT NULL,CONCAT(0x716b707071,0x464b73577a4d6c475a4c6e457641766b5565666444437a437672537753447753425470764f434479,0x716a627171),NULL,NULL,NULL-- -&btnSearch=Search"}, {'type': 'paragraph', 'content': 'The sqlmap tool can be used to confirm the vulnerability by targeting the vulnerable endpoint and parameter.'}] [1]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include implementing prepared statements with parameter binding to separate SQL code from user input, which prevents SQL injection.

  • Strict input validation and filtering to ensure inputs conform to expected formats, such as numeric patterns for IDs.
  • Minimizing database user permissions by avoiding the use of high-privilege accounts for routine operations.
  • Conducting regular security audits to detect and remediate vulnerabilities promptly.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart