{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3740", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-03-07T20:08:24.766Z", "datePublished": "2026-03-08T14:32:08.444Z", "dateUpdated": "2026-03-12T15:01:03.658Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-08T14:32:08.444Z"}, "title": "itsourcecode University Management System admin_search_student.php sql injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "SQL Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-74", "lang": "en", "description": "Injection"}]}], "affected": [{"vendor": "itsourcecode", "product": "University Management System", "versions": [{"version": "1.0", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A weakness has been identified in itsourcecode University Management System 1.0. Impacted is an unknown function of the file /admin_search_student.php. This manipulation of the argument admin_search_student causes sql injection. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-03-07T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-03-07T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-03-07T21:13:28.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Jon0 (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.349718", "name": "VDB-349718 | itsourcecode University Management System admin_search_student.php sql injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.349718", "name": "VDB-349718 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.767341", "name": "Submit #767341 | itsourcecode V1.0 SQL injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/DaMaTou00/project/issues/1", "tags": ["exploit", "issue-tracking"]}, {"url": "https://itsourcecode.com/", "tags": ["product"]}], "tags": ["x_freeware"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T15:00:55.369723Z", "id": "CVE-2026-3740", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T15:01:03.658Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3740", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-12T15:00:55.369723Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T15:00:59.175Z"}}], "cna": {"tags": ["x_freeware"], "title": "itsourcecode University Management System admin_search_student.php sql injection", "credits": [{"lang": "en", "type": "reporter", "value": "Jon0 (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "itsourcecode", "product": "University Management System", "versions": [{"status": "affected", "version": "1.0"}]}], "timeline": [{"lang": "en", "time": "2026-03-07T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-03-07T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-03-07T21:13:28.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.349718", "name": "VDB-349718 | itsourcecode University Management System admin_search_student.php sql injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.349718", "name": "VDB-349718 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.767341", "name": "Submit #767341 | itsourcecode V1.0 SQL injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/DaMaTou00/project/issues/1", "tags": ["exploit", "issue-tracking"]}, {"url": "https://itsourcecode.com/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A weakness has been identified in itsourcecode University Management System 1.0. Impacted is an unknown function of the file /admin_search_student.php. This manipulation of the argument admin_search_student causes sql injection. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "SQL Injection"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-08T14:32:08.444Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3740", "state": "PUBLISHED", "dateUpdated": "2026-03-12T15:01:03.658Z", "dateReserved": "2026-03-07T20:08:24.766Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-03-08T14:32:08.444Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:angeljudesuarez:university_management_system:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "46ABF764-A0DC-4B5A-83AE-90926CEB0601", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in itsourcecode University Management System 1.0. Impacted is an unknown function of the file /admin_search_student.php. This manipulation of the argument admin_search_student causes sql injection. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks."}, {"lang": "es", "value": "Se ha identificado una debilidad en itsourcecode University Management System 1.0. Afecta a una funci\u00f3n desconocida del archivo /admin_search_student.PHP. Esta manipulaci\u00f3n del argumento admin_search_student causa inyecci\u00f3n SQL. El ataque puede ser llevado a cabo remotamente. El exploit ha sido puesto a disposici\u00f3n del p\u00fablico y podr\u00eda ser utilizado para ataques."}], "id": "CVE-2026-3740", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-03-08T15:15:48.360", "references": [{"source": "cna@vuldb.com", "tags": ["Exploit", "Issue Tracking"], "url": "https://github.com/DaMaTou00/project/issues/1"}, {"source": "cna@vuldb.com", "tags": ["Product"], "url": "https://itsourcecode.com/"}, {"source": "cna@vuldb.com", "tags": ["Permissions Required", "VDB Entry"], "url": "https://vuldb.com/?ctiid.349718"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?id.349718"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?submit.767341"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}], "source": "cna@vuldb.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "1.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "University Management System", "source": "cna", "vendor": "itsourcecode"}, "product": "university_management_system", "vendor": "itsourcecode"}], "analysis": {"en": {"generated_at": "2026-04-16T10:33:46.283343+00:00", "value": {"mitigation_remediation": ["Update the University Management System to the newest patch released by itsourcecode. If no patch is available, request an urgent fix from the vendor.", "Refactor the admin_search_student functionality to use parameterized SQL queries and validate all input values before use in database statements.", "Implement strict access controls so that only authenticated administrators can access the admin_search_student endpoint, and enforce role\u2011based restrictions on the data returned."], "summary": {"action": "Apply Patch", "impact": "SQL Injection"}, "threat_synthesis": {"affected_systems": "Affected are the University Management System released by itsourcecode, version\u202f1.0, which contains the vulnerable admin_search_student.php script. No other product versions are listed as affected.", "description_and_impact": "The vulnerability is a classic SQL injection in the admin_search_student.php module of the University Management System 1.0, allowing a remote attacker to manipulate the admin_search_student parameter. This flaw is a CWE\u201174/CWE\u201189 weakness that can be abused for arbitrary SQL execution. The attack vector is remote and can be triggered by sending crafted HTTP requests that include malicious input.", "risk_and_exploitability": "The CVSS base score is 6.9, indicating moderate severity. The EPSS score of less than 1% points to an extremely low likelihood of exploitation in the wild, and the vulnerability has not been catalogued in CISA\u2019s KEV list. Attackers can trigger the issue remotely by sending crafted HTTP requests containing malicious values for the admin_search_student parameter, potentially from a web browser or automated script. Successful exploitation would require the application to be reachable and its input handling to be unprotected, thereby exposing the database to unauthorized queries."}}}}, "created": "2026-03-09T10:03:09.124568+00:00", "updated": "2026-04-16T10:45:26.007702+00:00", "vendors": ["itsourcecode", "itsourcecode$PRODUCT$university_management_system"]}