Cyber Resilience

CVE-2026-2011

MediumPublic PoC

Published: 06 February 2026

Published
06 February 2026
Modified
10 February 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0033 24.3th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-2011 is a medium-severity Injection (CWE-74) vulnerability in Itsourcecode School Management System. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-2011 is a SQL injection vulnerability (CWE-74, CWE-89) in itsourcecode Student Management System 1.0. The flaw resides in an unknown function within the file /ramonsys/enrollment/controller.php, where manipulation of the ID argument triggers the injection.

The vulnerability enables remote exploitation by unauthenticated attackers with low attack complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). Successful attacks could yield limited impacts on confidentiality, integrity, and availability, such as unauthorized data access or modification. An exploit has been made public and could be used.

Advisories and further details are available via VulDB entries (https://vuldb.com/?ctiid.344593, https://vuldb.com/?id.344593, https://vuldb.com/?submit.743498), a GitHub issue at https://github.com/tianrenu/CVE-Discoveries/issues/1, and the vendor site https://itsourcecode.com/. Practitioners should consult these for any patch or mitigation guidance.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability was found in itsourcecode Student Management System 1.0. The affected element is an unknown function of the file /ramonsys/enrollment/controller.php. The manipulation of the argument ID results in sql injection. The attack can be launched remotely. The exploit has…

more

been made public and could be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in a public-facing web app (controller.php) directly enables unauthenticated remote exploitation of the application per T1190.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-1176Same product: Itsourcecode School Management System
CVE-2026-2012Same product: Itsourcecode School Management System
CVE-2026-2014Same product: Itsourcecode School Management System
CVE-2026-2190Same product: Itsourcecode School Management System
CVE-2026-2013Same product: Itsourcecode School Management System
CVE-2026-2073Same product: Itsourcecode School Management System
CVE-2026-0544Same product: Itsourcecode School Management System
CVE-2026-2018Same product: Itsourcecode School Management System
CVE-2026-1701Same product: Itsourcecode School Management System
CVE-2026-3261Same product: Itsourcecode School Management System

Affected Assets

itsourcecode
school management system
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of the ID argument in controller.php to block SQL injection payloads before they reach the database.

prevent

Mandates timely remediation of the publicly disclosed flaw in /ramonsys/enrollment/controller.php to eliminate the SQL injection vulnerability.

preventdetect

Boundary protection mechanisms such as WAF rules can inspect and block malicious ID parameters in remote requests to the enrollment endpoint.

References