CVE-2026-3149
Published: 25 February 2026
Summary
CVE-2026-3149 is a medium-severity Injection (CWE-74) vulnerability in Angeljudesuarez College Management System. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-3149 is a SQL injection vulnerability affecting itsourcecode College Management System version 1.0. The flaw resides in unknown functionality within the file /admin/asign-single-student-subjects.php, where manipulation of the course_code argument enables SQL injection. This issue, associated with CWE-74 and CWE-89, was published on 2026-02-25 and carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
The vulnerability is remotely exploitable by attackers possessing low privileges, such as authenticated users with access to the admin interface. Successful exploitation allows limited impacts, including partial disclosure of sensitive data (C:L), modification of data or configuration (I:L), and denial of limited service (A:L), without requiring user interaction or changing the scope.
Advisories and further details are documented in references such as https://github.com/Zhangchao404/cve/issues/1, https://itsourcecode.com/, https://vuldb.com/?ctiid.347657, https://vuldb.com/?id.347657, and https://vuldb.com/?submit.758828. An exploit for this vulnerability has been publicly disclosed and could be leveraged in attacks.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8619
Vulnerability details
A weakness has been identified in itsourcecode College Management System 1.0. Affected by this issue is some unknown functionality of the file /admin/asign-single-student-subjects.php. Executing a manipulation of the argument course_code can lead to sql injection. The attack can be executed…
more
remotely. The exploit has been made available to the public and could be used for attacks.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in the web application's admin interface (course_code parameter) directly enables remote exploitation of the public-facing College Management System per T1190; successful exploitation permits direct unauthorized queries against the backend database, mapping to T1213.006 for data collection.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of the course_code input parameter to reject malformed SQL syntax before it reaches the database.
Mandates prompt remediation of the publicly disclosed SQL injection flaw in asign-single-student-subjects.php.
Enables monitoring of database query patterns or error responses that would indicate attempted exploitation of the course_code parameter.