Cyber Resilience

CVE-2026-2014

MediumPublic PoC

Published: 06 February 2026

Published
06 February 2026
Modified
10 February 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0042 33.2th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-2014 is a medium-severity Injection (CWE-74) vulnerability in Itsourcecode School Management System. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-2014 is a SQL injection vulnerability (CWE-74, CWE-89) in the itsourcecode Student Management System 1.0, affecting an unknown function within the file /ramonsys/billing/index.php. The flaw arises from improper handling of the ID argument, enabling injection attacks. Published on 2026-02-06, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and low exploitation barriers.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation can result in low impacts to confidentiality, integrity, and availability, such as unauthorized data access, modification, or disruption via injected SQL commands. A public exploit has been released, increasing the risk of real-world attacks against exposed instances.

Advisories and further details are available via VulDB entries (ctiid.344596, id.344596, submit.744048), a GitHub issue tracker (ltranquility/CVE/issues/35), and the vendor site (itsourcecode.com), though specific patch or mitigation guidance is not detailed in the primary disclosure.

The public availability of the exploit heightens the urgency for practitioners to scan and patch deployments of this student management system.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A security flaw has been discovered in itsourcecode Student Management System 1.0. This impacts an unknown function of the file /ramonsys/billing/index.php. Performing a manipulation of the argument ID results in sql injection. Remote exploitation of the attack is possible. The…

more

exploit has been released to the public and may be used for attacks.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct remote SQL injection in publicly accessible web app (billing/index.php) enables unauthenticated exploitation over the network.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-1176Same product: Itsourcecode School Management System
CVE-2026-2012Same product: Itsourcecode School Management System
CVE-2026-2190Same product: Itsourcecode School Management System
CVE-2026-2013Same product: Itsourcecode School Management System
CVE-2026-2073Same product: Itsourcecode School Management System
CVE-2026-2011Same product: Itsourcecode School Management System
CVE-2026-0544Same product: Itsourcecode School Management System
CVE-2026-2018Same product: Itsourcecode School Management System
CVE-2026-1701Same product: Itsourcecode School Management System
CVE-2026-3261Same product: Itsourcecode School Management System

Affected Assets

itsourcecode
school management system
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of the ID parameter in /ramonsys/billing/index.php to block malicious SQL syntax before it reaches the database.

prevent

Mandates timely remediation of the known SQL-injection flaw in the publicly released Student Management System 1.0 code.

detect

Enables continuous monitoring of web-application traffic and database queries to identify anomalous SQL patterns indicative of injection attempts.

References