{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4235", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-03-15T18:53:43.530Z", "datePublished": "2026-03-16T11:02:09.046Z", "dateUpdated": "2026-03-16T18:42:42.757Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-16T11:02:09.046Z"}, "title": "itsourcecode Online Enrollment System login.php sql injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "SQL Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-74", "lang": "en", "description": "Injection"}]}], "affected": [{"vendor": "itsourcecode", "product": "Online Enrollment System", "versions": [{"version": "1.0", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A weakness has been identified in itsourcecode Online Enrollment System 1.0. This issue affects some unknown processing of the file /sms/login.php. This manipulation of the argument user_email causes sql injection. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-03-15T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-03-15T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-03-15T19:58:47.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "yu_ji (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.351158", "name": "VDB-351158 | itsourcecode Online Enrollment System login.php sql injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.351158", "name": "VDB-351158 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.771240", "name": "Submit #771240 | itsourcecode Online Enrollment System V1.0 SQL Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/yuji0903/silver-guide/issues/11", "tags": ["exploit", "issue-tracking"]}, {"url": "https://itsourcecode.com/", "tags": ["product"]}], "tags": ["x_freeware"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-16T18:42:24.781036Z", "id": "CVE-2026-4235", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T18:42:42.757Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4235", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-16T18:42:24.781036Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T18:42:33.055Z"}}], "cna": {"tags": ["x_freeware"], "title": "itsourcecode Online Enrollment System login.php sql injection", "credits": [{"lang": "en", "type": "reporter", "value": "yu_ji (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "itsourcecode", "product": "Online Enrollment System", "versions": [{"status": "affected", "version": "1.0"}]}], "timeline": [{"lang": "en", "time": "2026-03-15T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-03-15T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-03-15T19:58:47.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.351158", "name": "VDB-351158 | itsourcecode Online Enrollment System login.php sql injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.351158", "name": "VDB-351158 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.771240", "name": "Submit #771240 | itsourcecode Online Enrollment System V1.0 SQL Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/yuji0903/silver-guide/issues/11", "tags": ["exploit", "issue-tracking"]}, {"url": "https://itsourcecode.com/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A weakness has been identified in itsourcecode Online Enrollment System 1.0. This issue affects some unknown processing of the file /sms/login.php. This manipulation of the argument user_email causes sql injection. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "SQL Injection"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-16T11:02:09.046Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4235", "state": "PUBLISHED", "dateUpdated": "2026-03-16T18:42:42.757Z", "dateReserved": "2026-03-15T18:53:43.530Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-03-16T11:02:09.046Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in itsourcecode Online Enrollment System 1.0. This issue affects some unknown processing of the file /sms/login.php. This manipulation of the argument user_email causes sql injection. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks."}, {"lang": "es", "value": "Una debilidad ha sido identificada en itsourcecode Online Enrollment System 1.0. Este problema afecta alg\u00fan procesamiento desconocido del archivo /sms/login.PHP. Esta manipulaci\u00f3n del argumento user_email causa inyecci\u00f3n SQL. El ataque es posible de ser llevado a cabo remotamente. El exploit ha sido puesto a disposici\u00f3n del p\u00fablico y podr\u00eda ser usado para ataques."}], "id": "CVE-2026-4235", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-03-16T14:20:17.717", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/yuji0903/silver-guide/issues/11"}, {"source": "cna@vuldb.com", "url": "https://itsourcecode.com/"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.351158"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.351158"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.771240"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "1.0"}}], "enrichment": {"confidence": 90.0, "confidence_source": "matching", "scores": [{"score": 90.0, "source": "matching"}]}, "original": {"product": "Online Enrollment System", "source": "cna", "vendor": "itsourcecode"}, "product": "online_student_enrollment_system", "vendor": "itsourcecode"}], "analysis": {"en": {"generated_at": "2026-03-22T14:46:11.274064+00:00", "value": {"mitigation_remediation": ["Contact itsourcecode to obtain a patch or an updated version of the Online Enrollment System that sanitizes the user_email input.", "If a patch is unavailable, restrict direct access to /sms/login.php through firewall rules or IP whitelisting to limit exposure to trusted administrators.", "Modify the application code to use parameterized queries or prepared statements for database access, ensuring that all user-supplied data is properly escaped.", "Regularly review server and database logs for anomalous activity that may indicate attempted SQL injection attempts."], "summary": {"action": "Apply patch", "impact": "SQL Injection allowing database compromise"}, "threat_synthesis": {"affected_systems": "The affected product is itsourcecode Online Enrollment System version 1.0, specifically the /sms/login.php endpoint. Users deploying this version should verify whether their installation includes this processing mechanism.", "description_and_impact": "The vulnerability resides in the login.php process of itsourcecode's Online Enrollment System, where an unsanitized user_email argument is incorporated directly into SQL statements. This enables a remote attacker to inject malicious SQL, potentially reading, modifying, or deleting data, and thereby compromising confidentiality, integrity, and availability of the enrollment database.", "risk_and_exploitability": "The CVSS score of 6.9 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, but it remains publicly exploitable. Attackers can carry out the exploitation remotely by sending a crafted request to the login page. Without a vendor patch, the risk persists for any system that remains on this vulnerable version."}}}}, "created": "2026-03-24T10:45:01.516489+00:00", "updated": "2026-03-30T08:00:27.285095+00:00", "vendors": ["itsourcecode", "itsourcecode$PRODUCT$online_student_enrollment_system"]}