CVE-2026-3149
Published: 25 February 2026
Summary
CVE-2026-3149 is a medium-severity Injection (CWE-74) vulnerability in Angeljudesuarez College Management System. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.
Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.
Validates query inputs to prevent SQL syntax or command manipulation.
Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in the web application's admin interface (course_code parameter) directly enables remote exploitation of the public-facing College Management System per T1190; successful exploitation permits direct unauthorized queries against the backend database, mapping to T1213.006 for data collection.
NVD Description
A weakness has been identified in itsourcecode College Management System 1.0. Affected by this issue is some unknown functionality of the file /admin/asign-single-student-subjects.php. Executing a manipulation of the argument course_code can lead to sql injection. The attack can be executed…
more
remotely. The exploit has been made available to the public and could be used for attacks.
Deeper analysisAI
CVE-2026-3149 is a SQL injection vulnerability affecting itsourcecode College Management System version 1.0. The flaw resides in unknown functionality within the file /admin/asign-single-student-subjects.php, where manipulation of the course_code argument enables SQL injection. This issue, associated with CWE-74 and CWE-89, was published on 2026-02-25 and carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
The vulnerability is remotely exploitable by attackers possessing low privileges, such as authenticated users with access to the admin interface. Successful exploitation allows limited impacts, including partial disclosure of sensitive data (C:L), modification of data or configuration (I:L), and denial of limited service (A:L), without requiring user interaction or changing the scope.
Advisories and further details are documented in references such as https://github.com/Zhangchao404/cve/issues/1, https://itsourcecode.com/, https://vuldb.com/?ctiid.347657, https://vuldb.com/?id.347657, and https://vuldb.com/?submit.758828. An exploit for this vulnerability has been publicly disclosed and could be leveraged in attacks.
Details
- CWE(s)