CVE-2026-36948
Received Received - Intake
SQL Injection in Sourcecodester Online Thesis Archiving System

Publication date: 2026-04-13

Last updated on: 2026-04-14

Assigner: MITRE

Description
Sourcecodester Online Thesis Archiving System v1.0 is vulnerale to SQL injection in the file /otas/view_archive.php.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-13
Last Modified
2026-04-14
Generated
2026-06-16
AI Q&A
2026-04-13
EPSS Evaluated
2026-06-15
NVD
CVE-2026-36948
EUVD
EUVD-2026-22004
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sourcecodester online_thesis_archiving_system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The SQL injection vulnerability in the Online Thesis Archiving System v1.0 allows unauthorized data disclosure from the backend database. Such unauthorized access to sensitive data can lead to non-compliance with data protection regulations and standards like GDPR and HIPAA, which require the protection of personal and sensitive information against unauthorized access and breaches.

By enabling attackers to extract data without authorization, this vulnerability could result in exposure of personal or confidential information, thereby violating requirements for data confidentiality, integrity, and security mandated by these regulations.

Executive Summary

The Online Thesis Archiving System v1.0 by Sourcecodester has an SQL injection vulnerability in the file /otas/view_archive.php.

This vulnerability occurs at the URL parameter 'id' in the endpoint /otas/?page=view_archive&id=, which allows an attacker to manipulate the parameter to execute arbitrary SQL queries on the backend database.

For example, an attacker can use a crafted payload to inject a UNION SELECT statement to retrieve sensitive information such as the current database name.

Impact Analysis

This SQL injection vulnerability can allow an attacker to execute arbitrary SQL commands on the backend database.

  • Unauthorized disclosure of sensitive data stored in the database.
  • Potential modification or deletion of database records.
  • Compromise of the integrity and confidentiality of the system's data.
Detection Guidance

This SQL injection vulnerability can be detected by sending crafted HTTP requests to the vulnerable endpoint and observing the response for signs of SQL injection.

Specifically, you can test the URL parameter `id` in the endpoint `/otas/?page=view_archive&id=` by injecting SQL payloads.

  • Send a request like `/otas/?page=view_archive&id=0' union select 1,2,3,4,database(),6,7,8,9,10,11,12,13--+` to check if the database name is returned in the response.
  • Use tools such as curl or a web proxy to send the above request and analyze the HTTP response for database information disclosure.
Mitigation Strategies

To mitigate the SQL injection vulnerability in the Online Thesis Archiving System v1.0, immediate steps include:

  • Sanitize and validate all user inputs, especially the 'id' parameter in the /otas/view_archive.php file.
  • Use prepared statements or parameterized queries to prevent direct injection of SQL code.
  • Restrict database permissions to limit the impact of a potential injection.
  • Monitor and log suspicious requests targeting the vulnerable endpoint.
  • Apply any available patches or updates from the vendor or source if available.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-36948. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart