CVE-2026-1590
Published: 29 January 2026
Summary
CVE-2026-1590 is a medium-severity Injection (CWE-74) vulnerability in Angeljudesuarez School Management System. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-1590 is a SQL injection vulnerability affecting itsourcecode School Management System version 1.0. The issue resides in an unknown function within the file /ramonsys/faculty/index.php, where manipulation of the ID argument enables SQL injection. Published on 2026-01-29, it is associated with CWE-74 and CWE-89.
The vulnerability allows remote exploitation by unauthenticated attackers with low attack complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). Successful exploitation can result in limited impacts to confidentiality, integrity, and availability, such as unauthorized data access, modification, or disruption.
Advisories referenced in VulDB entries (e.g., https://vuldb.com/?ctiid.343353, https://vuldb.com/?id.343353, https://vuldb.com/?submit.740687) document the issue, while the software source is at https://itsourcecode.com/. A publicly available exploit is hosted at https://mega.nz/file/GYsm2Q7K#B7NUGX5Fy9iLYssM474U3zFsmZp_14v0n5Sp-5N95yI, which might be used in attacks. No specific patches or mitigation steps are detailed in the provided references.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4988
Vulnerability details
A vulnerability was identified in itsourcecode School Management System 1.0. This impacts an unknown function of the file /ramonsys/faculty/index.php. Such manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit is publicly available…
more
and might be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing web app (/index.php) directly enables remote exploitation of a web application without auth.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of the ID argument in /ramonsys/faculty/index.php to block SQL injection payloads.
Requires timely remediation of the known SQL injection flaw in the School Management System before exploitation occurs.
Enforces access control on faculty/index.php so that unauthenticated remote attackers cannot reach the vulnerable ID parameter.