Cyber Resilience

CVE-2026-3413

MediumPublic PoC

Published: 02 March 2026

Published
02 March 2026
Modified
03 March 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0039 31.0th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-3413 is a medium-severity Injection (CWE-74) vulnerability in Angeljudesuarez University Management System. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-3413 is a SQL injection vulnerability (CWE-74, CWE-89) in itsourcecode University Management System 1.0, affecting unknown code in the file /admin_single_student.php through manipulation of the ID argument. Published on 2026-03-02T07:16:23.240, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and ease of exploitation.

The vulnerability enables remote attacks by unauthenticated attackers requiring low complexity and no user interaction. Exploitation via the ID parameter allows SQL injection, potentially resulting in limited impacts on confidentiality (e.g., data disclosure), integrity (e.g., data alteration), and availability (e.g., denial of service).

Advisories referenced in VULDB entries (ctiid.348308, id.348308, submit.764004) and a GitHub vulnerability research issue (JXBbozaihuang/vuln-research/issues/1) document the flaw, while the vendor site itsourcecode.com provides context on the affected software. The exploit has been published and may be used, urging practitioners to consult these sources for mitigation guidance.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A flaw has been found in itsourcecode University Management System 1.0. This vulnerability affects unknown code of the file /admin_single_student.php. This manipulation of the argument ID causes sql injection. The attack is possible to be carried out remotely. The exploit…

more

has been published and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in publicly accessible web application (/admin_single_student.php) directly enables remote exploitation of a public-facing app without authentication.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-3740Same product: Angeljudesuarez University Management System
CVE-2026-3747Same product: Angeljudesuarez University Management System
CVE-2026-3944Same product: Angeljudesuarez University Management System
CVE-2026-3760Same product: Angeljudesuarez University Management System
CVE-2026-3765Same product: Angeljudesuarez University Management System
CVE-2026-3411Same product: Angeljudesuarez University Management System
CVE-2026-2116Same vendor: Angeljudesuarez
CVE-2026-1589Same vendor: Angeljudesuarez
CVE-2026-1118Same vendor: Angeljudesuarez
CVE-2026-2117Same vendor: Angeljudesuarez

Affected Assets

angeljudesuarez
university management system
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of untrusted inputs such as the ID parameter passed to /admin_single_student.php, blocking SQL injection payloads.

prevent

Mandates timely remediation of known flaws like the published SQL injection in itsourcecode University Management System 1.0.

prevent

Limits database privileges granted to the web application account so that a successful ID-based injection yields only minimal impact on confidentiality, integrity, or availability.

References