{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4573", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-03-22T08:48:13.841Z", "datePublished": "2026-03-23T05:01:39.300Z", "dateUpdated": "2026-03-25T13:57:21.182Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-23T05:01:39.300Z"}, "title": "SourceCodester Simple E-learning System HTTP GET Parameter delete_post.php sql injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "SQL Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-74", "lang": "en", "description": "Injection"}]}], "affected": [{"vendor": "SourceCodester", "product": "Simple E-learning System", "versions": [{"version": "1.0", "status": "affected"}], "modules": ["HTTP GET Parameter Handler"]}], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in SourceCodester Simple E-learning System 1.0. This affects an unknown part of the file /includes/form_handlers/delete_post.php of the component HTTP GET Parameter Handler. The manipulation of the argument post_id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-03-22T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-03-22T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-03-22T09:53:23.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "563742137abc (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.352410", "name": "VDB-352410 | SourceCodester Simple E-learning System HTTP GET Parameter delete_post.php sql injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.352410", "name": "VDB-352410 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.775181", "name": "Submit #775181 | SourceCodester Simple E-learning System 1.0 SQL Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/meifukun/Web-Security-PoCs/blob/main/Simple-E-learning-System/SQLi-DeletePost-postId.md", "tags": ["exploit"]}, {"url": "https://www.sourcecodester.com/", "tags": ["product"]}], "tags": ["x_freeware"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T13:56:45.050362Z", "id": "CVE-2026-4573", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T13:57:21.182Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4573", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T13:56:45.050362Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T13:57:15.681Z"}}], "cna": {"tags": ["x_freeware"], "title": "SourceCodester Simple E-learning System HTTP GET Parameter delete_post.php sql injection", "credits": [{"lang": "en", "type": "reporter", "value": "563742137abc (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "SourceCodester", "modules": ["HTTP GET Parameter Handler"], "product": "Simple E-learning System", "versions": [{"status": "affected", "version": "1.0"}]}], "timeline": [{"lang": "en", "time": "2026-03-22T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-03-22T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-03-22T09:53:23.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.352410", "name": "VDB-352410 | SourceCodester Simple E-learning System HTTP GET Parameter delete_post.php sql injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.352410", "name": "VDB-352410 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.775181", "name": "Submit #775181 | SourceCodester Simple E-learning System 1.0 SQL Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/meifukun/Web-Security-PoCs/blob/main/Simple-E-learning-System/SQLi-DeletePost-postId.md", "tags": ["exploit"]}, {"url": "https://www.sourcecodester.com/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in SourceCodester Simple E-learning System 1.0. This affects an unknown part of the file /includes/form_handlers/delete_post.php of the component HTTP GET Parameter Handler. The manipulation of the argument post_id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "SQL Injection"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-23T05:01:39.300Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4573", "state": "PUBLISHED", "dateUpdated": "2026-03-25T13:57:21.182Z", "dateReserved": "2026-03-22T08:48:13.841Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-03-23T05:01:39.300Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in SourceCodester Simple E-learning System 1.0. This affects an unknown part of the file /includes/form_handlers/delete_post.php of the component HTTP GET Parameter Handler. The manipulation of the argument post_id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used."}, {"lang": "es", "value": "Se ha detectado una vulnerabilidad de seguridad en SourceCodester Simple E-learning System 1.0. Esto afecta una parte desconocida del archivo /includes/form_handlers/delete_post.php del componente Gestor de Par\u00e1metros GET HTTP. La manipulaci\u00f3n del argumento post_id conduce a inyecci\u00f3n SQL. Es posible iniciar el ataque de forma remota. El exploit ha sido divulgado p\u00fablicamente y puede ser utilizado."}], "id": "CVE-2026-4573", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.1, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-03-23T06:16:20.400", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/meifukun/Web-Security-PoCs/blob/main/Simple-E-learning-System/SQLi-DeletePost-postId.md"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.352410"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.352410"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.775181"}, {"source": "cna@vuldb.com", "url": "https://www.sourcecodester.com/"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "1.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "simple_e-learning_system", "vendor": "sourcecodester"}], "analysis": {"en": {"generated_at": "2026-03-23T06:22:32.439289+00:00", "value": {"mitigation_remediation": ["Apply the latest patch from SourceCodester for Simple E-learning System v1.0 that sanitizes the post_id parameter.", "If no patch is available, restrict direct access to delete_post.php using web server rules such as IP whitelisting or disabling the endpoint temporarily.", "Modify the code to cast post_id to an integer and bind it as a parameter in prepared SQL statements.", "Enable application logging and monitor for suspicious DELETE or UPDATE queries involving the posts table.", "Conduct a review of all input points in the application for similar SQL injection risks and remediate accordingly."], "summary": {"action": "Immediate Patch", "impact": "Remote SQL Injection"}, "threat_synthesis": {"affected_systems": "The flaw exists in SourceCodester Simple E-learning System version 1.0, specifically within the file /includes/form_handlers/delete_post.php. No other variants or versions were identified in the CVE data.", "description_and_impact": "The vulnerability lies in the delete_post.php handler of SourceCodester Simple E-learning System, where an attacker can supply a crafted post_id via the HTTP GET parameter. This manipulation allows arbitrary SQL statements to be executed against the database, potentially exposing, modifying, or deleting sensitive course and user data. The flaw stems from insufficient input validation and direct inclusion of the parameter in SQL queries (CWE-89).", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate risk, and while no EPSS value is available, the vulnerability was publicly disclosed and can be exploited remotely by sending a crafted URL with a malicious post_id. Since it does not appear in the CISA KEV catalog, the current threat level is moderate but non-negligible. Exploitation requires only network access to the application and does not necessitate authentication."}}}}, "created": "2026-03-23T09:45:28.309650+00:00", "updated": "2026-03-25T14:49:46.482352+00:00", "vendors": ["sourcecodester", "sourcecodester$PRODUCT$simple_e-learning_system"]}