CVE-2026-2014
Published: 06 February 2026
Summary
CVE-2026-2014 is a medium-severity Injection (CWE-74) vulnerability in Itsourcecode School Management System. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-2014 is a SQL injection vulnerability (CWE-74, CWE-89) in the itsourcecode Student Management System 1.0, affecting an unknown function within the file /ramonsys/billing/index.php. The flaw arises from improper handling of the ID argument, enabling injection attacks. Published on 2026-02-06, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and low exploitation barriers.
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation can result in low impacts to confidentiality, integrity, and availability, such as unauthorized data access, modification, or disruption via injected SQL commands. A public exploit has been released, increasing the risk of real-world attacks against exposed instances.
Advisories and further details are available via VulDB entries (ctiid.344596, id.344596, submit.744048), a GitHub issue tracker (ltranquility/CVE/issues/35), and the vendor site (itsourcecode.com), though specific patch or mitigation guidance is not detailed in the primary disclosure.
The public availability of the exploit heightens the urgency for practitioners to scan and patch deployments of this student management system.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5680
Vulnerability details
A security flaw has been discovered in itsourcecode Student Management System 1.0. This impacts an unknown function of the file /ramonsys/billing/index.php. Performing a manipulation of the argument ID results in sql injection. Remote exploitation of the attack is possible. The…
more
exploit has been released to the public and may be used for attacks.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote SQL injection in publicly accessible web app (billing/index.php) enables unauthenticated exploitation over the network.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of the ID parameter in /ramonsys/billing/index.php to block malicious SQL syntax before it reaches the database.
Mandates timely remediation of the known SQL-injection flaw in the publicly released Student Management System 1.0 code.
Enables continuous monitoring of web-application traffic and database queries to identify anomalous SQL patterns indicative of injection attempts.